Saturday, August 8, 2015

Release: SKFU's Pr0xy³


3 years after "SKFU's Vita Pr0xy" and 2 years after "SKFU's Pr0xy", I've decided to continue it's success story and update it once again. Please welcome back: SKFU's Pr0xy³


It's more than just a Proxy Server. With the implementation of a Web Server, a DNS Server and a Dump Server, you can work a lot faster and don't have to use multiple tools for network research.

The Web Server now provides a way to redirect requests to local files without the need for Apache or similar. The DNS Server and it's functions greatly improve the possibilities you have. The XBOX ONE for example does not support proxy servers - use the DNS Server to redirect requests!

The Dump Server may be useful for anyone who wants to quickly send data from a browser to your desktop. You don't have to upload it somewhere, just create a websocket client and send it to the Dump Server. Surely also useful for working with WebKit exploits! :)

The changelog is quite huge, so I'll only list the major updates here:

  • Implemented a HTTP Web Server
    • Works standalone or as local file redirection support for Proxy Server
  • Implemented a DNS Server
    • Redirect requests to IP or domain
    • Forward requests
    • Blacklist requests
  • Implemented a Dump Server
    • Receives dumps via WebSocket
    • Built-in hex editor
    • Save to file
    • Send commands to client
  • Treeview for Proxy Server logs
    • Quick clicks (direct search and direct open)
  • Design / icon updates
  • Settings updated
  • Encode / Decode tool improved
    • MD4, MD5, SHA1, SHA224-512, SHA3_224-512
  • Major backend update
    • Qt 5.5
    • Faster loading times
    • Less space requirements
    • Dependency strips
    • 100% cross-platform code
    • Update notifications

If you have some clever feature idea or found a bug, let me know!

Download (Win32): CLICK


I hope you like it,

- SKFU

Sunday, March 15, 2015

HowTo: Install PS4 Beta 2.50

Hey guys, this is just a quick tutorial to show that I'm still alive :)

Finding the 2.50 Beta PUP/Firmare was very easy. Basically every PS4 requests the beta XML file which stores the information required to get the .PUP file.


So once I spotted this XML file via SKFU's Pr0xy, I first tried to simply redirect the normal "ps4-updatelist.xml" to the beta one. This failed. Second try was to download the PUP and install it from a USB stick via the PS4's safemode. This also failed.

My last idea was to create a new "ps4-updatelist.xml" and redirect the normal one to my custom XML. This worked :) Steps to reproduce are below:

  1. Get any SKFU's Pr0xy server (wololo.net)
  2. Start & setup the Proxy Server on your PlayStation4
  3. Redirect "http://feu01.ps4.update.playstation.net/update/ps4/list/eu/ps4-updatelist.xml" to "http://zload.net/ps4/beta/ps4-updatelist.xml"
    1. In case your from another region, change "/eu/" to your regioncode!
  4. Search for an update on your PS4
  5. Download, install and enjoy 2.50 Beta :)
    1. In case this does not work, try the installation via safemode "Update using Internet". If you have setup the proxy already, it also works in safemode.

Best regards,

- SKFU


Thanks to TheZ and Wololo!



Thursday, October 30, 2014

PS4 Firmware 2.00 - Quick Review

It took a while until I found some spare time to check firmware 2.00 for the PlayStation4, but it was worth it!

First I'll show you two funny screenshots from my PS4:

I told you the TitleID research is important, didn't I?
NPXS20993

So yes, I could finally access the Debug Settings on a retail console. But no, we can not use it :)
Sony learned their lesson and removed the back-end so this is not very useful for us.
Maybe there is a way to unlock it's full potential, but I could not find it, yet.

Here I explained how to start applications by it's TitleID on PS4. This kind of information is very important and I would like to encourage everyone to try it and add your results to the public list of PS4 TitleID's.


Next on my list was to check WebKit. Sure, the stand-alone Internet Browsers WebKit was updated, but what about other applications and games?

Any application listed under the "TV & Video" menu uses a quite old WebKit.
To be more specific:

Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0

Worth a try for those who want 2.00 :)


Last but not least I made a ridiculous discovery. This one has to do with a memory leak which led me to super interesting data. So far I got around 15MB of compressed but clear-text script data. If you wonder if this is a lot, YES IT IS! In a readable layout this is more than 250.000 lines of code.

Currently I shared this with a hand full of trusted developers to help me mastering this amount. Once we are through it we'll post about it, so stay tuned!


Please remember this was only a quick review which took like 2 hours, surely there's still a lot to find on this firmware :)


- SKFU

Tuesday, October 28, 2014

Tutorial: PS4 Remote Play via ANY Android Device

Normally I do not post about work of other people but since this comes from outside of the normal PlayStation scene I think it's worth to talk about.

Remote Play Button (step 9)
  1. In case you have it installed, uninstall the PlayStation®App from your device
  2. Download this .apk file
    1. Move the file to "/System/App/"
    2. Change the permission of the .apk to RW-R-R
  3. Download this .dex file
    1. Move the file to "/Data/Dalvik-Cache/"
    2. Change its permissions to RW-R-R
  4. Download these two XML files: 
    1. com.playstation.playstationcertified.xml
    2. com.playstation.remoteplayident.xml
    3. Move the files to "/System/etc/permissions/"
    4. Change their permissions to RW-R-R
  5. Download these two JAR files:
    1. com.playstation.playstationcertified.jar
    2. com.playstation.remoteplayident.jar
    3. Move the files to "/System/Framework/"
    4. Change their permissions to RW-R-R
  6. Reboot your phone/tablet
  7. Start the PlayStore, download and install the PlayStation®App
  8. Install the .apk file you downloaded at step 2
  9. Start the PlayStation®App and click the remote play button
  10. Play remotely!

Credits go to everyone involved from xda-developers.com + especially Wesley32 for the original tutorial!

Maybe someone gets it to work with BlueStacks for PC easy compatibility ? :)


- SKFU

Tuesday, October 14, 2014

DRIVECLUB may brick your PS4 Blu-Ray Drive?!

Driveclub is currently facing a lot of problems including a few delays, server-side problems and more. Today a friend from Hong Kong told me about a major bug which he faced due the release day of Driveclub.

Since he is PS+ subscriber, he has access to the free PS+ version of Driveclub. He added it to his download list, waiting for the next time he'd be online.

Meanwhile he also purchased the disc version of Driveclub. Full of "GREATNESS AWAITS" thoughts, he turned on his PS4 and went online.

As the Driveclub PS+ version was already in his download list, it began to download. While the game was downloading, he wanted to use his disc version and pushed it inside the PlayStation 4's Blu-Ray drive. 

It seems that no one actually ever tested if a user would do that. The disc drive of my friend stopped working right away. Ejecting and inserting works fine, but the PS4 won't read any disc anymore.

We guess that this happened because the disc version and the PS+ version share the same TitleID and that having the same one mounted twice is impossible to handle for the PS4. Inserting any disc simply results in a popup, showing that the game is already inserted.

Rebooting the system or anything safe-mode like did not help. Currently his PS4 sits in a service center waiting for a solution. 


- SKFU

Sunday, October 5, 2014

PSV 3.30 Statement

I've just read Wololo's recent article about how the actual 3.30 firmware for SONY's PlayStation VITA changed a lot of things in the scene. Please read it before this post, as I won't sum up everything again here.

Many patches prevent current hacks and exploits to be used on firmware 3.30.
But the question is: "Do we really need 3.30?"


If you waited your whole life for theme-support on the PSV, then you probably do need it. But that's not the case for the majority in my view. The scene should now finally focus on one firmware which is 3.18.

WebKit, PKG Installer and PSP Emu exploits on this firmware give us all opportunities required to develop a decent homebrew-enabled and native hackable system. Updating the operating system can be targeted at a later time, just like it was done for the PS3.

It's kind of useless to play SONY's cat and mouse game and re-develop PSP emulator exploits for every firmware just to wait for the next patch again.

And for those who still care about 3.30 - Yes, I can confirm the PKG Installer is still working on it.
An even more interesting information for you might be that there is a way to install PKG files without even touching the PKG Installer application :)


Good luck and stay focused,

- SKFU

Friday, September 19, 2014

PS4 - The State of Things Part III: I/O Vulnerability Analysis

After we checked the environment of the PS4, we should continue with more detailed analysis where, how and what we can im- & export from the system to actually affect it.

Let's see what our general I/O possibilities are first:

USB

Have you noticed the application "SHAREfactory" on your PS4? One of it's interesting features is to import music files via USB. Vulnerability? Maybe. At least FFmpeg has all actual patches applied.

SHAREfactory USB music import. Also useful as mediaplayer :)
Another USB feature is the import and export of screenshots, gameplay videos and savegames. Worth to check I'd say.

HDD

As expected the HDD is encrypted so you can't do much here, yet. But remember the PS3 HDD Encryption Fail!

WIFI / LAN

Yes, this is my favorite one. Please understand that I'll keep some details here to prevent unnecessary patches before things get gold.

As always for network sniffing, modding and more, you can either use WiresharkCharles, or SKFU's Pr0xy.

One interesting thing we found is about "Final Fantasy XIV: A Realm Reborn". If you check the game due it's startup you may notice that it receives patch files in-game and not as other games as PKG before the bootup of the game.

http://patch-bootver.ffxiv.com/http/ps4/ffxivneo_release_boot_eu/2014.04.02.0000.0000/?time=2014-04-04-11

A quick look in the downloaded file shows us that it downloads a ".patch" file. This file is installed just like a .PKG file but without it's header checks. Vulnerability? Maybe.

There may be a lot more vulnerable games but since we are still not super-rich, we really appreciate any PSN code donation to research more of them. If you would like to contribute, push a PSN code to skfu@skfu.xxx. USA and German PSN codes are welcome! Thanks in advance!

HDMI

HDMI and vulnerable I/O? Yes! Not many people think about it, but HDMI has 2 nice features called CEC and HEC. There's even a good documentation about CEC vulnerability testing here.

I have only briefly researched this, so I am counting on you guys! More information about this topic is available here.

DISC DRIVE

Well, you can already dump PS4 games with specific BD drives on your PC and check it's content.

Another interesting and often forgotten feature is the ability to run Homebrew via BD-J. The whole BD-J system is based on Java 1.3 -> Vulnerability? Maybe.

Hereby I do release a minimal PS4 BD-J SDK which is based on FreePlay's Minimal BD-J SDK for PS3, credits to him! It also contains a small "Hello World" example which is just for testing purpose aka it's dirty test code only.

ADDITIONAL DEVICES

The PlayStation4 supports some additional devices which communicate with each other. This includes for example the PlayStation VITA but also mobile phones with installed companion applications which can lead to interesting results as shown in "PS4 - The State of Things Part II"!

Remember that you can decrypt any companion application traffic for smartphones with Charles and/or a little bit of RE.

Other devices are Bluetooth connected like headsets, remote controllers etc. Can be sniffed, can be analyzed.

UART

115200, n, 8, 1


Happy hacking!

- SKFU