Friday, September 19, 2014

PS4 - The State of Things Part III: I/O Vulnerability Analysis

After we checked the environment of the PS4, we should continue with more detailed analysis where, how and what we can im- & export from the system to actually affect it.

Let's see what our general I/O possibilities are first:

USB

Have you noticed the application "SHAREfactory" on your PS4? One of it's interesting features is to import music files via USB. Vulnerability? Maybe. At least FFmpeg has all actual patches applied.

SHAREfactory USB music import. Also useful as mediaplayer :)
Another USB feature is the import and export of screenshots, gameplay videos and savegames. Worth to check I'd say.

HDD

As expected the HDD is encrypted so you can't do much here, yet. But remember the PS3 HDD Encryption Fail!

WIFI / LAN

Yes, this is my favorite one. Please understand that I'll keep some details here to prevent unnecessary patches before things get gold.

As always for network sniffing, modding and more, you can either use WiresharkCharles, or SKFU's Pr0xy.

One interesting thing we found is about "Final Fantasy XIV: A Realm Reborn". If you check the game due it's startup you may notice that it receives patch files in-game and not as other games as PKG before the bootup of the game.

http://patch-bootver.ffxiv.com/http/ps4/ffxivneo_release_boot_eu/2014.04.02.0000.0000/?time=2014-04-04-11

A quick look in the downloaded file shows us that it downloads a ".patch" file. This file is installed just like a .PKG file but without it's header checks. Vulnerability? Maybe.

There may be a lot more vulnerable games but since we are still not super-rich, we really appreciate any PSN code donation to research more of them. If you would like to contribute, push a PSN code to skfu@skfu.xxx. USA and German PSN codes are welcome! Thanks in advance!

HDMI

HDMI and vulnerable I/O? Yes! Not many people think about it, but HDMI has 2 nice features called CEC and HEC. There's even a good documentation about CEC vulnerability testing here.

I have only briefly researched this, so I am counting on you guys! More information about this topic is available here.

DISC DRIVE

Well, you can already dump PS4 games with specific BD drives on your PC and check it's content.

Another interesting and often forgotten feature is the ability to run Homebrew via BD-J. The whole BD-J system is based on Java 1.3 -> Vulnerability? Maybe.

Hereby I do release a minimal PS4 BD-J SDK which is based on FreePlay's Minimal BD-J SDK for PS3, credits to him! It also contains a small "Hello World" example which is just for testing purpose aka it's dirty test code only.

ADDITIONAL DEVICES

The PlayStation4 supports some additional devices which communicate with each other. This includes for example the PlayStation VITA but also mobile phones with installed companion applications which can lead to interesting results as shown in "PS4 - The State of Things Part II"!

Remember that you can decrypt any companion application traffic for smartphones with Charles and/or a little bit of RE.

Other devices are Bluetooth connected like headsets, remote controllers etc. Can be sniffed, can be analyzed.

UART

115200, n, 8, 1


Happy hacking!

- SKFU