Tuesday, October 14, 2014

DRIVECLUB may brick your PS4 Blu-Ray Drive?!

Driveclub is currently facing a lot of problems including a few delays, server-side problems and more. Today a friend from Hong Kong told me about a major bug which he faced due the release day of Driveclub.

Since he is PS+ subscriber, he has access to the free PS+ version of Driveclub. He added it to his download list, waiting for the next time he'd be online.

Meanwhile he also purchased the disc version of Driveclub. Full of "GREATNESS AWAITS" thoughts, he turned on his PS4 and went online.

As the Driveclub PS+ version was already in his download list, it began to download. While the game was downloading, he wanted to use his disc version and pushed it inside the PlayStation 4's Blu-Ray drive. 

It seems that no one actually ever tested if a user would do that. The disc drive of my friend stopped working right away. Ejecting and inserting works fine, but the PS4 won't read any disc anymore.

We guess that this happened because the disc version and the PS+ version share the same TitleID and that having the same one mounted twice is impossible to handle for the PS4. Inserting any disc simply results in a popup, showing that the game is already inserted.

Rebooting the system or anything safe-mode like did not help. Currently his PS4 sits in a service center waiting for a solution. 


- SKFU

Sunday, October 5, 2014

PSV 3.30 Statement

I've just read Wololo's recent article about how the actual 3.30 firmware for SONY's PlayStation VITA changed a lot of things in the scene. Please read it before this post, as I won't sum up everything again here.

Many patches prevent current hacks and exploits to be used on firmware 3.30.
But the question is: "Do we really need 3.30?"


If you waited your whole life for theme-support on the PSV, then you probably do need it. But that's not the case for the majority in my view. The scene should now finally focus on one firmware which is 3.18.

WebKit, PKG Installer and PSP Emu exploits on this firmware give us all opportunities required to develop a decent homebrew-enabled and native hackable system. Updating the operating system can be targeted at a later time, just like it was done for the PS3.

It's kind of useless to play SONY's cat and mouse game and re-develop PSP emulator exploits for every firmware just to wait for the next patch again.

And for those who still care about 3.30 - Yes, I can confirm the PKG Installer is still working on it.
An even more interesting information for you might be that there is a way to install PKG files without even touching the PKG Installer application :)


Good luck and stay focused,

- SKFU

Friday, September 19, 2014

PS4 - The State of Things Part III: I/O Vulnerability Analysis

After we checked the environment of the PS4, we should continue with more detailed analysis where, how and what we can im- & export from the system to actually affect it.

Let's see what our general I/O possibilities are first:

USB

Have you noticed the application "SHAREfactory" on your PS4? One of it's interesting features is to import music files via USB. Vulnerability? Maybe. At least FFmpeg has all actual patches applied.

SHAREfactory USB music import. Also useful as mediaplayer :)
Another USB feature is the import and export of screenshots, gameplay videos and savegames. Worth to check I'd say.

HDD

As expected the HDD is encrypted so you can't do much here, yet. But remember the PS3 HDD Encryption Fail!

WIFI / LAN

Yes, this is my favorite one. Please understand that I'll keep some details here to prevent unnecessary patches before things get gold.

As always for network sniffing, modding and more, you can either use WiresharkCharles, or SKFU's Pr0xy.

One interesting thing we found is about "Final Fantasy XIV: A Realm Reborn". If you check the game due it's startup you may notice that it receives patch files in-game and not as other games as PKG before the bootup of the game.

http://patch-bootver.ffxiv.com/http/ps4/ffxivneo_release_boot_eu/2014.04.02.0000.0000/?time=2014-04-04-11

A quick look in the downloaded file shows us that it downloads a ".patch" file. This file is installed just like a .PKG file but without it's header checks. Vulnerability? Maybe.

There may be a lot more vulnerable games but since we are still not super-rich, we really appreciate any PSN code donation to research more of them. If you would like to contribute, push a PSN code to skfu@skfu.xxx. USA and German PSN codes are welcome! Thanks in advance!

HDMI

HDMI and vulnerable I/O? Yes! Not many people think about it, but HDMI has 2 nice features called CEC and HEC. There's even a good documentation about CEC vulnerability testing here.

I have only briefly researched this, so I am counting on you guys! More information about this topic is available here.

DISC DRIVE

Well, you can already dump PS4 games with specific BD drives on your PC and check it's content.

Another interesting and often forgotten feature is the ability to run Homebrew via BD-J. The whole BD-J system is based on Java 1.3 -> Vulnerability? Maybe.

Hereby I do release a minimal PS4 BD-J SDK which is based on FreePlay's Minimal BD-J SDK for PS3, credits to him! It also contains a small "Hello World" example which is just for testing purpose aka it's dirty test code only.

ADDITIONAL DEVICES

The PlayStation4 supports some additional devices which communicate with each other. This includes for example the PlayStation VITA but also mobile phones with installed companion applications which can lead to interesting results as shown in "PS4 - The State of Things Part II"!

Remember that you can decrypt any companion application traffic for smartphones with Charles and/or a little bit of RE.

Other devices are Bluetooth connected like headsets, remote controllers etc. Can be sniffed, can be analyzed.

UART

115200, n, 8, 1


Happy hacking!

- SKFU

Sunday, September 14, 2014

PS4 - The State of Things Part II: Environment Analysis

Sadly there's no blueprint of the PS4's filesystem as far as I know, so how would we know where we want to go? We need to collect as many information about the filesystem and it's environment as possible to even be able to determine our possible research targets and vulnerabilities.

For any PlayStation platform there are 3 good and legit ways to go for:

 Way 1: Open Source Software & Open Documentation

Any Open Source Software used on the PlayStation4 is listed at http://www.scei.co.jp/ps4-license/.
A quick look through them reveals that many licenses force SONY to distribute copies of the used software which for the PS4 are:

  • cairo
  • Mono VM
    • "For request, please send e-mail to: pss_opensource_info@scei.co.jp with “PS4 Mono LGPL Request” in the subject line. In the body of the e-mail include your name and e-mail address."
  • Webkit
  • FFmpeg
Since we do have the sources, we can go through em, look for bugs and/or compare public available exploits to see if they are patched; for example via http://www.exploit-db.com/.

Furthermore you can check the World Wide Web for public available documentation about the system, sites like http://develop.scee.net/ are very useful. Just as example you can find the content guidelines for the PS4 Webbrowser and a quite interesting presentation from 2013

Way 2: Hardware Analysis

Not exactly the stuff I like to do, but one of the most interesting and promising research fields I think.

For sure also the most expensive way to research. If your lucky enough to own or be able to purchase proper hardware for this case of research you have tons of possibilities. 

There's already a lot information about PS4 hardware research available in the PS4 Developer Wiki, including some dumps and more. 

Even if you do not have access to a fast enough logical analyzer there's cheap & good hardware for simple chip dumps. Also you could checkout other hardware interaction possibilities like UART (115200,n,8,1 in our case).

Way 3: Installed Software Analysis

Check the software on the target system for bugs which may lead to information leaks or similar. 

One of the best things which can happen at start is that you find a way for dumping parts of the memory which may reveal sensitive and useful information about the PS4 environment. 

A good example is the recently revealed exploit for the Wii U via it's Webbrowser & Webkit which quite early lead to memory dumps. Webkit is known to be a weak point on nearly every system!

The Result

A decent result will unveil you a good overview of how the system works, which processes are linked by each other, how the filesystem does look like and more.

Here's an example for the PlayStation4 filesystem: CLICK TO DOWNLOAD

The shown folders and files are based on our research until now. Some files and folders are missing and may be updated.



Part III of my "The State of Thing" articles will arrive soon!

- SK

Friday, September 12, 2014

PS4 - The State of Things Part I: TitleID's [#1 Update]

Yeah I'm still here! A lot of information was collected, analyzed and misused in the past months. I want to share an overview with you and I'll start with "Part I: TitleID's".


This post is not entirely about the PS4, it will include some information about the PSV as well.

Why are we interested in TitleID's?


Both the PS4 and the PSV use the known system of TitleID's to identify games and apps. Most of them are visible to you via either the Livearea on PSV or the menu of the PS4.

Some of them, on the other hand are only used as references for internal modules or similar and are therefore hidden. The most interesting ones are those which are linked with applications you shall not see and are just implemented for tests, were forgotten or exist for other unknown reasons. Do we want to find and start them? Yes, we do!

How do we find valid TitleID's?

Well, the best start is to look at the error reports of the consoles. Once a game or app crashes, a small error report is generated and you can view this information via the systems settings. You'll see that the TitleID is always with it.

NPXS19999 is the TitleID
Surely this will not lead us to any interesting hidden applications since those are most likely never active and can not be crashed without even knowing how to start them, but it will give us a good startpoint since the range of commonly used system ID's is huge (NPXS00000-NPXS9999). So now we need a way to test for valid ID's aka a possibility to launch games/apps by it's TitleID with bruteforcing.

How do we start apps/games by TitleID's?


PS VITA Method: [UPDATED]

[UPDATE]

For simplicity here's a small webform which will unlock the PKG Installer for your PS VITA: http://www.zload.net/pkg/ kindly hosted by The Zett. Just enter the E-Mail adress you use on your PSV and the script will send you the unlock E-Mail.

[/UPDATE]

On PlayStation VITA there are many ways to achieve our goal, so it's not important right now if one is public. I will show you the most simple one. Probably you have noticed the leak of information regarding a hidden PKG installer a few months ago - this was achieved by using this technique.

Simply as it is, the only thing you have to do is setup the E-Mail client application on your PlayStation VITA and write yourself an HTML E-Mail with the following content to receive the E-Mail on your PSV.

<a href="psgm:open?titleid=NPXS10031">OPEN PKG INSTALLER</a>

Open your E-Mail app and click the link and the PKG installer will start. You may want to replace the titleid parameter with any of your choice. I have a small list of tested TitleID's for PSV right here, feel free to add or modify information.

PS4 Method:

For the PlayStation 4 our method is a bit more complicated and requires a bit of RE knowledge for Android and/or iOS. I'll describe an example for Android:

Please grab a copy of the Metal Gear Solid V: GZ companion app for Android and save the APK on your PC. APK Downloader is useful here! ( It's a fantastic game, I'm rly sorry I had to use this one :( )

Now you'll need the APK-Multi-Tool. Setup the tool and place the MGS companion APK file in the "place-apk-here-for-modding" folder. Start the tool, via the "Script.bat" and choose option 9 to decompile the APK. You now have a decompiled copy of the APK in your "projects" folder.

Locate the "PS4Net$1.smali" source file in "/smali/jp/konami/mgsvgzapp/", open it and replace the MGS V: GZ TitleID's with one of your choice and save the file. Go back to the APK-Multi-Tool script and choose option 15 (assuming your Android phone connected in debugger mode).

Now you can start the app on your phone, choose the main option and it will find your PS4 after you logged in PSN. Once started, normally the application would start Metal Gear Solid V: GZ, but now tries to start your TitleID if available.

The authentication system used for the secure communication between your phone and your PS4 is well done, but sadly not useful if we use a modification like this. Feel free to join the list of tested TitleID's for PS4.

For obvious reasons I made a small TitleID's launcher to test different ID's a lot faster.

XBOX ONE Method:

In the APK described in the PS4 method you might have noticed that there is code for the XBOX ONE version of the game as well. Nearly same system, have fun.


Stay tuned for Part II!

Best regards,

- SKFU

Thursday, November 14, 2013

PS4 - Game Dumps, HDMI Fail & more...

Sleeping sucks, you miss news of different timezones for sure. So, what did happen while I slept?

1) PS4 Game Dumps


According to an A9VG member, PS4 games can be dumped with a common PC Blu-Ray drive.

It seems that already a few games were dumped, inlcuding Killzone, Knack, Battlefield4 and AC4.

As soon as I get access to a disc or dump myself, I will do an analyse of the containing files.


For more details of the dumps, like game disc sizes and file structure please check out PS3Hax.

2) HDMI Fail

What happens if you force students to build your Next-Gen console under pressure? Well, they might return you faulty HDMI jacks.

IGN, Kotaku and many more individual users report that their PS4 video output stopped working. The console apparently is unusable for those who experienced it.

3) For those who already received a console

Sadly im still looking for a PS4 unit, if you can help me to get one contact me at skfu@skfu.xxx.


In case you got a unit for yourself, here are some examples of what has to be tested:

  • Before powering up the unit for first time, make a 1:1 dump of the HDD
    • Explore the HDD dump
  • Dump a game disc
    • Burn the dump to an empty BD
    • Check if the PS4 recognizes the disc
  • Check any files which can be transfered from PS4
    • Savegames, etc
  • Install a modified firmware
    • Use my PS4FwTool
    • Extract 2 firmwares
    • Rebuild a new firmware based on both output
    • Possible brick! Do at your own risk!
    • Recovery menu should bring you back in case of faulty firmware, but only do this if you actually are aware of the risk and know what you do!
  • Sniff anything
  • Modify the Companion Tool (iOS/Android)
    • Intercept game traffic between Companion Tool and PS4 game
  • etc.

Happy hacking,

- SKFU

Wednesday, November 13, 2013

PS4 US Launch Preparation

2 days left for the official PS4 launch in the USA. Sony pushing all necessary sites and files online.


1) PS4 Firmware Download

This time, SONY officially releases the firmware 1.5. Now what we know for sure are a few things:

The 0x01000000 in the SLB2 firmware container files is the SLB2 version, not the firmware version.

The prior firmware which was "leaked" is not the same as they released now. The current firmware has the version 01.501.000. The prior one had 2 different XML's files, so it's still unclear if it was 01.000.000, as the US update list said or 01.500.000, as the JP update list said.

Full MD5 list:

01.500.000 / 01.000.000 system: C64D11F839AC8628176941B99FD3670E
01.500.000 / 01.000.000 recovery: 6F4D6AFE98DD7297C70AA4D6E7E5482B

01.501.000 system: DF008B5601F4A214A3CC65030A02AC4A
01.501.000 recovery: CEDADA625478DB608D5878C019454380



2) PS4 Manuals

You can now checkout the official online manual HERE.





3) PS4 Open Source Software

The official PS4 open source page is HERE.




- SKFU