Friday, September 19, 2014

PS4 - The State of Things Part III: I/O Vulnerability Analysis

After we checked the environment of the PS4, we should continue with more detailed analysis where, how and what we can im- & export from the system to actually affect it.

Let's see what our general I/O possibilities are first:

USB

Have you noticed the application "SHAREfactory" on your PS4? One of it's interesting features is to import music files via USB. Vulnerability? Maybe. At least FFmpeg has all actual patches applied.

SHAREfactory USB music import. Also useful as mediaplayer :)
Another USB feature is the import and export of screenshots, gameplay videos and savegames. Worth to check I'd say.

HDD

As expected the HDD is encrypted so you can't do much here, yet. But remember the PS3 HDD Encryption Fail!

WIFI / LAN

Yes, this is my favorite one. Please understand that I'll keep some details here to prevent unnecessary patches before things get gold.

As always for network sniffing, modding and more, you can either use WiresharkCharles, or SKFU's Pr0xy.

One interesting thing we found is about "Final Fantasy XIV: A Realm Reborn". If you check the game due it's startup you may notice that it receives patch files in-game and not as other games as PKG before the bootup of the game.

http://patch-bootver.ffxiv.com/http/ps4/ffxivneo_release_boot_eu/2014.04.02.0000.0000/?time=2014-04-04-11

A quick look in the downloaded file shows us that it downloads a ".patch" file. This file is installed just like a .PKG file but without it's header checks. Vulnerability? Maybe.

There may be a lot more vulnerable games but since we are still not super-rich, we really appreciate any PSN code donation to research more of them. If you would like to contribute, push a PSN code to skfu@skfu.xxx. USA and German PSN codes are welcome! Thanks in advance!

HDMI

HDMI and vulnerable I/O? Yes! Not many people think about it, but HDMI has 2 nice features called CEC and HEC. There's even a good documentation about CEC vulnerability testing here.

I have only briefly researched this, so I am counting on you guys! More information about this topic is available here.

DISC DRIVE

Well, you can already dump PS4 games with specific BD drives on your PC and check it's content.

Another interesting and often forgotten feature is the ability to run Homebrew via BD-J. The whole BD-J system is based on Java 1.3 -> Vulnerability? Maybe.

Hereby I do release a minimal PS4 BD-J SDK which is based on FreePlay's Minimal BD-J SDK for PS3, credits to him! It also contains a small "Hello World" example which is just for testing purpose aka it's dirty test code only.

ADDITIONAL DEVICES

The PlayStation4 supports some additional devices which communicate with each other. This includes for example the PlayStation VITA but also mobile phones with installed companion applications which can lead to interesting results as shown in "PS4 - The State of Things Part II"!

Remember that you can decrypt any companion application traffic for smartphones with Charles and/or a little bit of RE.

Other devices are Bluetooth connected like headsets, remote controllers etc. Can be sniffed, can be analyzed.

UART

115200, n, 8, 1


Happy hacking!

- SKFU

Sunday, September 14, 2014

PS4 - The State of Things Part II: Environment Analysis

Sadly there's no blueprint of the PS4's filesystem as far as I know, so how would we know where we want to go? We need to collect as many information about the filesystem and it's environment as possible to even be able to determine our possible research targets and vulnerabilities.

For any PlayStation platform there are 3 good and legit ways to go for:

 Way 1: Open Source Software & Open Documentation

Any Open Source Software used on the PlayStation4 is listed at http://www.scei.co.jp/ps4-license/.
A quick look through them reveals that many licenses force SONY to distribute copies of the used software which for the PS4 are:

  • cairo
  • Mono VM
    • "For request, please send e-mail to: pss_opensource_info@scei.co.jp with “PS4 Mono LGPL Request” in the subject line. In the body of the e-mail include your name and e-mail address."
  • Webkit
  • FFmpeg
Since we do have the sources, we can go through em, look for bugs and/or compare public available exploits to see if they are patched; for example via http://www.exploit-db.com/.

Furthermore you can check the World Wide Web for public available documentation about the system, sites like http://develop.scee.net/ are very useful. Just as example you can find the content guidelines for the PS4 Webbrowser and a quite interesting presentation from 2013

Way 2: Hardware Analysis

Not exactly the stuff I like to do, but one of the most interesting and promising research fields I think.

For sure also the most expensive way to research. If your lucky enough to own or be able to purchase proper hardware for this case of research you have tons of possibilities. 

There's already a lot information about PS4 hardware research available in the PS4 Developer Wiki, including some dumps and more. 

Even if you do not have access to a fast enough logical analyzer there's cheap & good hardware for simple chip dumps. Also you could checkout other hardware interaction possibilities like UART (115200,n,8,1 in our case).

Way 3: Installed Software Analysis

Check the software on the target system for bugs which may lead to information leaks or similar. 

One of the best things which can happen at start is that you find a way for dumping parts of the memory which may reveal sensitive and useful information about the PS4 environment. 

A good example is the recently revealed exploit for the Wii U via it's Webbrowser & Webkit which quite early lead to memory dumps. Webkit is known to be a weak point on nearly every system!

The Result

A decent result will unveil you a good overview of how the system works, which processes are linked by each other, how the filesystem does look like and more.

Here's an example for the PlayStation4 filesystem: CLICK TO DOWNLOAD

The shown folders and files are based on our research until now. Some files and folders are missing and may be updated.



Part III of my "The State of Thing" articles will arrive soon!

- SK

Friday, September 12, 2014

PS4 - The State of Things Part I: TitleID's [#1 Update]

Yeah I'm still here! A lot of information was collected, analyzed and misused in the past months. I want to share an overview with you and I'll start with "Part I: TitleID's".


This post is not entirely about the PS4, it will include some information about the PSV as well.

Why are we interested in TitleID's?


Both the PS4 and the PSV use the known system of TitleID's to identify games and apps. Most of them are visible to you via either the Livearea on PSV or the menu of the PS4.

Some of them, on the other hand are only used as references for internal modules or similar and are therefore hidden. The most interesting ones are those which are linked with applications you shall not see and are just implemented for tests, were forgotten or exist for other unknown reasons. Do we want to find and start them? Yes, we do!

How do we find valid TitleID's?

Well, the best start is to look at the error reports of the consoles. Once a game or app crashes, a small error report is generated and you can view this information via the systems settings. You'll see that the TitleID is always with it.

NPXS19999 is the TitleID
Surely this will not lead us to any interesting hidden applications since those are most likely never active and can not be crashed without even knowing how to start them, but it will give us a good startpoint since the range of commonly used system ID's is huge (NPXS00000-NPXS9999). So now we need a way to test for valid ID's aka a possibility to launch games/apps by it's TitleID with bruteforcing.

How do we start apps/games by TitleID's?


PS VITA Method: [UPDATED]

[UPDATE]

For simplicity here's a small webform which will unlock the PKG Installer for your PS VITA: http://www.zload.net/pkg/ kindly hosted by The Zett. Just enter the E-Mail adress you use on your PSV and the script will send you the unlock E-Mail.

[/UPDATE]

On PlayStation VITA there are many ways to achieve our goal, so it's not important right now if one is public. I will show you the most simple one. Probably you have noticed the leak of information regarding a hidden PKG installer a few months ago - this was achieved by using this technique.

Simply as it is, the only thing you have to do is setup the E-Mail client application on your PlayStation VITA and write yourself an HTML E-Mail with the following content to receive the E-Mail on your PSV.

<a href="psgm:open?titleid=NPXS10031">OPEN PKG INSTALLER</a>

Open your E-Mail app and click the link and the PKG installer will start. You may want to replace the titleid parameter with any of your choice. I have a small list of tested TitleID's for PSV right here, feel free to add or modify information.

PS4 Method:

For the PlayStation 4 our method is a bit more complicated and requires a bit of RE knowledge for Android and/or iOS. I'll describe an example for Android:

Please grab a copy of the Metal Gear Solid V: GZ companion app for Android and save the APK on your PC. APK Downloader is useful here! ( It's a fantastic game, I'm rly sorry I had to use this one :( )

Now you'll need the APK-Multi-Tool. Setup the tool and place the MGS companion APK file in the "place-apk-here-for-modding" folder. Start the tool, via the "Script.bat" and choose option 9 to decompile the APK. You now have a decompiled copy of the APK in your "projects" folder.

Locate the "PS4Net$1.smali" source file in "/smali/jp/konami/mgsvgzapp/", open it and replace the MGS V: GZ TitleID's with one of your choice and save the file. Go back to the APK-Multi-Tool script and choose option 15 (assuming your Android phone connected in debugger mode).

Now you can start the app on your phone, choose the main option and it will find your PS4 after you logged in PSN. Once started, normally the application would start Metal Gear Solid V: GZ, but now tries to start your TitleID if available.

The authentication system used for the secure communication between your phone and your PS4 is well done, but sadly not useful if we use a modification like this. Feel free to join the list of tested TitleID's for PS4.

For obvious reasons I made a small TitleID's launcher to test different ID's a lot faster.

XBOX ONE Method:

In the APK described in the PS4 method you might have noticed that there is code for the XBOX ONE version of the game as well. Nearly same system, have fun.


Stay tuned for Part II!

Best regards,

- SKFU