Thursday, October 30, 2014

PS4 Firmware 2.00 - Quick Review

It took a while until I found some spare time to check firmware 2.00 for the PlayStation4, but it was worth it!

First I'll show you two funny screenshots from my PS4:

I told you the TitleID research is important, didn't I?
NPXS20993

So yes, I could finally access the Debug Settings on a retail console. But no, we can not use it :)
Sony learned their lesson and removed the back-end so this is not very useful for us.
Maybe there is a way to unlock it's full potential, but I could not find it, yet.

Here I explained how to start applications by it's TitleID on PS4. This kind of information is very important and I would like to encourage everyone to try it and add your results to the public list of PS4 TitleID's.


Next on my list was to check WebKit. Sure, the stand-alone Internet Browsers WebKit was updated, but what about other applications and games?

Any application listed under the "TV & Video" menu uses a quite old WebKit.
To be more specific:

Mozilla/5.0 (PlayStation 4) AppleWebKit/531.3 (KHTML, like Gecko) SCEE/1.0 Nuanti/2.0

Worth a try for those who want 2.00 :)


Last but not least I made a ridiculous discovery. This one has to do with a memory leak which led me to super interesting data. So far I got around 15MB of compressed but clear-text script data. If you wonder if this is a lot, YES IT IS! In a readable layout this is more than 250.000 lines of code.

Currently I shared this with a hand full of trusted developers to help me mastering this amount. Once we are through it we'll post about it, so stay tuned!


Please remember this was only a quick review which took like 2 hours, surely there's still a lot to find on this firmware :)


- SKFU

Tuesday, October 28, 2014

Tutorial: PS4 Remote Play via ANY Android Device

Normally I do not post about work of other people but since this comes from outside of the normal PlayStation scene I think it's worth to talk about.

Remote Play Button (step 9)
  1. In case you have it installed, uninstall the PlayStation®App from your device
  2. Download this .apk file
    1. Move the file to "/System/App/"
    2. Change the permission of the .apk to RW-R-R
  3. Download this .dex file
    1. Move the file to "/Data/Dalvik-Cache/"
    2. Change its permissions to RW-R-R
  4. Download these two XML files: 
    1. com.playstation.playstationcertified.xml
    2. com.playstation.remoteplayident.xml
    3. Move the files to "/System/etc/permissions/"
    4. Change their permissions to RW-R-R
  5. Download these two JAR files:
    1. com.playstation.playstationcertified.jar
    2. com.playstation.remoteplayident.jar
    3. Move the files to "/System/Framework/"
    4. Change their permissions to RW-R-R
  6. Reboot your phone/tablet
  7. Start the PlayStore, download and install the PlayStation®App
  8. Install the .apk file you downloaded at step 2
  9. Start the PlayStation®App and click the remote play button
  10. Play remotely!

Credits go to everyone involved from xda-developers.com + especially Wesley32 for the original tutorial!

Maybe someone gets it to work with BlueStacks for PC easy compatibility ? :)


- SKFU

Tuesday, October 14, 2014

DRIVECLUB may brick your PS4 Blu-Ray Drive?!

Driveclub is currently facing a lot of problems including a few delays, server-side problems and more. Today a friend from Hong Kong told me about a major bug which he faced due the release day of Driveclub.

Since he is PS+ subscriber, he has access to the free PS+ version of Driveclub. He added it to his download list, waiting for the next time he'd be online.

Meanwhile he also purchased the disc version of Driveclub. Full of "GREATNESS AWAITS" thoughts, he turned on his PS4 and went online.

As the Driveclub PS+ version was already in his download list, it began to download. While the game was downloading, he wanted to use his disc version and pushed it inside the PlayStation 4's Blu-Ray drive. 

It seems that no one actually ever tested if a user would do that. The disc drive of my friend stopped working right away. Ejecting and inserting works fine, but the PS4 won't read any disc anymore.

We guess that this happened because the disc version and the PS+ version share the same TitleID and that having the same one mounted twice is impossible to handle for the PS4. Inserting any disc simply results in a popup, showing that the game is already inserted.

Rebooting the system or anything safe-mode like did not help. Currently his PS4 sits in a service center waiting for a solution. 


- SKFU

Sunday, October 5, 2014

PSV 3.30 Statement

I've just read Wololo's recent article about how the actual 3.30 firmware for SONY's PlayStation VITA changed a lot of things in the scene. Please read it before this post, as I won't sum up everything again here.

Many patches prevent current hacks and exploits to be used on firmware 3.30.
But the question is: "Do we really need 3.30?"


If you waited your whole life for theme-support on the PSV, then you probably do need it. But that's not the case for the majority in my view. The scene should now finally focus on one firmware which is 3.18.

WebKit, PKG Installer and PSP Emu exploits on this firmware give us all opportunities required to develop a decent homebrew-enabled and native hackable system. Updating the operating system can be targeted at a later time, just like it was done for the PS3.

It's kind of useless to play SONY's cat and mouse game and re-develop PSP emulator exploits for every firmware just to wait for the next patch again.

And for those who still care about 3.30 - Yes, I can confirm the PKG Installer is still working on it.
An even more interesting information for you might be that there is a way to install PKG files without even touching the PKG Installer application :)


Good luck and stay focused,

- SKFU

Friday, September 19, 2014

PS4 - The State of Things Part III: I/O Vulnerability Analysis

After we checked the environment of the PS4, we should continue with more detailed analysis where, how and what we can im- & export from the system to actually affect it.

Let's see what our general I/O possibilities are first:

USB

Have you noticed the application "SHAREfactory" on your PS4? One of it's interesting features is to import music files via USB. Vulnerability? Maybe. At least FFmpeg has all actual patches applied.

SHAREfactory USB music import. Also useful as mediaplayer :)
Another USB feature is the import and export of screenshots, gameplay videos and savegames. Worth to check I'd say.

HDD

As expected the HDD is encrypted so you can't do much here, yet. But remember the PS3 HDD Encryption Fail!

WIFI / LAN

Yes, this is my favorite one. Please understand that I'll keep some details here to prevent unnecessary patches before things get gold.

As always for network sniffing, modding and more, you can either use WiresharkCharles, or SKFU's Pr0xy.

One interesting thing we found is about "Final Fantasy XIV: A Realm Reborn". If you check the game due it's startup you may notice that it receives patch files in-game and not as other games as PKG before the bootup of the game.

http://patch-bootver.ffxiv.com/http/ps4/ffxivneo_release_boot_eu/2014.04.02.0000.0000/?time=2014-04-04-11

A quick look in the downloaded file shows us that it downloads a ".patch" file. This file is installed just like a .PKG file but without it's header checks. Vulnerability? Maybe.

There may be a lot more vulnerable games but since we are still not super-rich, we really appreciate any PSN code donation to research more of them. If you would like to contribute, push a PSN code to skfu@skfu.xxx. USA and German PSN codes are welcome! Thanks in advance!

HDMI

HDMI and vulnerable I/O? Yes! Not many people think about it, but HDMI has 2 nice features called CEC and HEC. There's even a good documentation about CEC vulnerability testing here.

I have only briefly researched this, so I am counting on you guys! More information about this topic is available here.

DISC DRIVE

Well, you can already dump PS4 games with specific BD drives on your PC and check it's content.

Another interesting and often forgotten feature is the ability to run Homebrew via BD-J. The whole BD-J system is based on Java 1.3 -> Vulnerability? Maybe.

Hereby I do release a minimal PS4 BD-J SDK which is based on FreePlay's Minimal BD-J SDK for PS3, credits to him! It also contains a small "Hello World" example which is just for testing purpose aka it's dirty test code only.

ADDITIONAL DEVICES

The PlayStation4 supports some additional devices which communicate with each other. This includes for example the PlayStation VITA but also mobile phones with installed companion applications which can lead to interesting results as shown in "PS4 - The State of Things Part II"!

Remember that you can decrypt any companion application traffic for smartphones with Charles and/or a little bit of RE.

Other devices are Bluetooth connected like headsets, remote controllers etc. Can be sniffed, can be analyzed.

UART

115200, n, 8, 1


Happy hacking!

- SKFU

Sunday, September 14, 2014

PS4 - The State of Things Part II: Environment Analysis

Sadly there's no blueprint of the PS4's filesystem as far as I know, so how would we know where we want to go? We need to collect as many information about the filesystem and it's environment as possible to even be able to determine our possible research targets and vulnerabilities.

For any PlayStation platform there are 3 good and legit ways to go for:

 Way 1: Open Source Software & Open Documentation

Any Open Source Software used on the PlayStation4 is listed at http://www.scei.co.jp/ps4-license/.
A quick look through them reveals that many licenses force SONY to distribute copies of the used software which for the PS4 are:

  • cairo
  • Mono VM
    • "For request, please send e-mail to: pss_opensource_info@scei.co.jp with “PS4 Mono LGPL Request” in the subject line. In the body of the e-mail include your name and e-mail address."
  • Webkit
  • FFmpeg
Since we do have the sources, we can go through em, look for bugs and/or compare public available exploits to see if they are patched; for example via http://www.exploit-db.com/.

Furthermore you can check the World Wide Web for public available documentation about the system, sites like http://develop.scee.net/ are very useful. Just as example you can find the content guidelines for the PS4 Webbrowser and a quite interesting presentation from 2013

Way 2: Hardware Analysis

Not exactly the stuff I like to do, but one of the most interesting and promising research fields I think.

For sure also the most expensive way to research. If your lucky enough to own or be able to purchase proper hardware for this case of research you have tons of possibilities. 

There's already a lot information about PS4 hardware research available in the PS4 Developer Wiki, including some dumps and more. 

Even if you do not have access to a fast enough logical analyzer there's cheap & good hardware for simple chip dumps. Also you could checkout other hardware interaction possibilities like UART (115200,n,8,1 in our case).

Way 3: Installed Software Analysis

Check the software on the target system for bugs which may lead to information leaks or similar. 

One of the best things which can happen at start is that you find a way for dumping parts of the memory which may reveal sensitive and useful information about the PS4 environment. 

A good example is the recently revealed exploit for the Wii U via it's Webbrowser & Webkit which quite early lead to memory dumps. Webkit is known to be a weak point on nearly every system!

The Result

A decent result will unveil you a good overview of how the system works, which processes are linked by each other, how the filesystem does look like and more.

Here's an example for the PlayStation4 filesystem: CLICK TO DOWNLOAD

The shown folders and files are based on our research until now. Some files and folders are missing and may be updated.



Part III of my "The State of Thing" articles will arrive soon!

- SK

Friday, September 12, 2014

PS4 - The State of Things Part I: TitleID's [#1 Update]

Yeah I'm still here! A lot of information was collected, analyzed and misused in the past months. I want to share an overview with you and I'll start with "Part I: TitleID's".


This post is not entirely about the PS4, it will include some information about the PSV as well.

Why are we interested in TitleID's?


Both the PS4 and the PSV use the known system of TitleID's to identify games and apps. Most of them are visible to you via either the Livearea on PSV or the menu of the PS4.

Some of them, on the other hand are only used as references for internal modules or similar and are therefore hidden. The most interesting ones are those which are linked with applications you shall not see and are just implemented for tests, were forgotten or exist for other unknown reasons. Do we want to find and start them? Yes, we do!

How do we find valid TitleID's?

Well, the best start is to look at the error reports of the consoles. Once a game or app crashes, a small error report is generated and you can view this information via the systems settings. You'll see that the TitleID is always with it.

NPXS19999 is the TitleID
Surely this will not lead us to any interesting hidden applications since those are most likely never active and can not be crashed without even knowing how to start them, but it will give us a good startpoint since the range of commonly used system ID's is huge (NPXS00000-NPXS9999). So now we need a way to test for valid ID's aka a possibility to launch games/apps by it's TitleID with bruteforcing.

How do we start apps/games by TitleID's?


PS VITA Method: [UPDATED]

[UPDATE]

For simplicity here's a small webform which will unlock the PKG Installer for your PS VITA: http://www.zload.net/pkg/ kindly hosted by The Zett. Just enter the E-Mail adress you use on your PSV and the script will send you the unlock E-Mail.

[/UPDATE]

On PlayStation VITA there are many ways to achieve our goal, so it's not important right now if one is public. I will show you the most simple one. Probably you have noticed the leak of information regarding a hidden PKG installer a few months ago - this was achieved by using this technique.

Simply as it is, the only thing you have to do is setup the E-Mail client application on your PlayStation VITA and write yourself an HTML E-Mail with the following content to receive the E-Mail on your PSV.

<a href="psgm:open?titleid=NPXS10031">OPEN PKG INSTALLER</a>

Open your E-Mail app and click the link and the PKG installer will start. You may want to replace the titleid parameter with any of your choice. I have a small list of tested TitleID's for PSV right here, feel free to add or modify information.

PS4 Method:

For the PlayStation 4 our method is a bit more complicated and requires a bit of RE knowledge for Android and/or iOS. I'll describe an example for Android:

Please grab a copy of the Metal Gear Solid V: GZ companion app for Android and save the APK on your PC. APK Downloader is useful here! ( It's a fantastic game, I'm rly sorry I had to use this one :( )

Now you'll need the APK-Multi-Tool. Setup the tool and place the MGS companion APK file in the "place-apk-here-for-modding" folder. Start the tool, via the "Script.bat" and choose option 9 to decompile the APK. You now have a decompiled copy of the APK in your "projects" folder.

Locate the "PS4Net$1.smali" source file in "/smali/jp/konami/mgsvgzapp/", open it and replace the MGS V: GZ TitleID's with one of your choice and save the file. Go back to the APK-Multi-Tool script and choose option 15 (assuming your Android phone connected in debugger mode).

Now you can start the app on your phone, choose the main option and it will find your PS4 after you logged in PSN. Once started, normally the application would start Metal Gear Solid V: GZ, but now tries to start your TitleID if available.

The authentication system used for the secure communication between your phone and your PS4 is well done, but sadly not useful if we use a modification like this. Feel free to join the list of tested TitleID's for PS4.

For obvious reasons I made a small TitleID's launcher to test different ID's a lot faster.

XBOX ONE Method:

In the APK described in the PS4 method you might have noticed that there is code for the XBOX ONE version of the game as well. Nearly same system, have fun.


Stay tuned for Part II!

Best regards,

- SKFU