fail0verflow: Using HDMI-CEC to get code exec on PS4 southbridge

November 5, 2018 ~ hucktech ~ Leave a comment

Another "PS4 Aux Hax" blog! Using HDMI-CEC to get code exec on all PS4 southbridge versions (including PS4 Pro, etc.), without requiring other parts of the system to be pwned:https://t.co/tLBvMho8W2

— fail0verflow (@fail0verflow) November 5, 2018

https://fail0verflow.com/blog/2018/ps4-cec/.

2018-11-03
PS4 Aux Hax 4: Belize via CEC
This post describes another way to attain code execution on Aeolia (actually, the southbridge revision on PS4 Pro which was used in this case is named “Belize”). This exploit differs from the previously documented method as it does not have the prerequisite of gaining control of the APU. Additionally it is fairly generic and therefor workable on all currently released hardware and software versions of PS4.[…]

ShofEL2, a Tegra X1 and Nintendo Switch exploit

April 24, 2018 ~ hucktech ~ 1 Comment

Re: https://firmwaresecurity.com/2018/04/23/shofel2-responsible-disclosure-window-ends-april-25th/

https://twitter.com/coreboot_org/status/988673576785137670

https://fail0verflow.com/blog/2018/shofel2/

Coreboot and Linux on the Switch. Holy smokes! @coreboot_org

— David (@Liimero) April 23, 2018

ShofEL2 responsible disclosure window ends April 25th

April 23, 2018 ~ hucktech ~ 1 Comment

Re: https://firmwaresecurity.com/2018/02/19/nintendos-new-kde-linux-tablet/ and https://firmwaresecurity.com/2018/01/16/dumping-the-playstation4-kernel/

Introducing our new, revolutionary technology for Nintendo Switch modification. Welcome to SwitchX PRO. Coming soon. pic.twitter.com/d3xGawrW1u

— fail0verflow (@fail0verflow) April 23, 2018

And for those who don't want to wait or want a more cost-effective solution, we're also introducing a lite version of SwitchX. Available at your local hardware store TODAY. pic.twitter.com/BlPMmqLGlw

— fail0verflow (@fail0verflow) April 23, 2018

Jokes aside, we have a 90-day responsible disclosure window for ShofEL2 ending on April 25th. Since another person published the bug so close to our declared deadline, we're going to wait things out. Stay tuned.

— fail0verflow (@fail0verflow) April 23, 2018

Nintendo’s new KDE Linux tablet :-)

February 19, 2018 ~ hucktech ~ 1 Comment

Re: https://firmwaresecurity.com/2018/01/16/dumping-the-playstation4-kernel/

https://twitter.com/fail0verflow/status/964954316892119040

🐧🐧🐧🐧 #switch pic.twitter.com/4iTjTk9D59

— fail0verflow (@fail0verflow) February 6, 2018

https://liliputing.com/2018/02/fail0verflow-turns-a-nintendo-switch-into-a-full-fledged-linux-pc.html

https://www.theverge.com/circuitbreaker/2018/2/19/17029916/nintendo-switch-hack-linux-fail0verflow

https://www.forbes.com/sites/jasonevangelho/2018/02/09/hackers-are-running-linux-on-the-switch-and-claim-nintendo-cant-patch-it/#73bc32eb512c

https://www.nintendo.com/switch/

I have never once considered purchasing a Nintendo Switch …until now. 🙂

Dumping the Playstation4 kernel

January 16, 2018 ~ hucktech ~ 1 Comment

We made a nice scroller for Switch 🙂 pic.twitter.com/kUWTVMQf8s

— fail0verflow (@fail0verflow) January 7, 2018

In case it wasn't obvious, our Switch coldboot exploit:
* Is a bootrom bug
* Can't be patched (in currently released Switches)
* Doesn't require a modchip to pull offhttps://t.co/LLadlEmm44

— fail0verflow (@fail0verflow) January 16, 2018

Dumping a PS4 Kernel in “Only” 6 Days

Filed under ps4 vulnerability exploit

What if a secure device had an attacker-viewable crashdump format?
What if that same device allowed putting arbitrary memory into the crashdump?
Amazingly, the ps4 tempted fate by supporting both of these features!
Let’s see how that turned out…
Crashdumps on PS4

The crash handling infrastructure of the ps4 kernel is interesting for 2 main reasons:
It is ps4-specific code (likely to be buggy)
If the crashdump can be decoded, we will gain very useful info for finding bugs and creating reliable exploits

On a normal FreeBSD system, a kernel panic will create a dump by calling kern_reboot with the RB_DUMP flag. This then leads to doadump being called, which will dump a rather tiny amount of information about the kernel image itself to some storage device. On ps4, the replacement for doadump is mdbg_run_dump, which can be called from panic or directly from trap_fatal. The amount of information stored into the dump is gigantic by comparison – kernel state for all process, thread, and vm objects are included, along with some metadata about loaded libraries. Other obvious changes from the vanilla FreeBSD method are that the mdbg_run_dump encodes data recorded into the dump on a field-by-field basis and additionally encrypts the resulting buffer before finally storing it to disk.[…]

https://fail0verflow.com/blog/2017/ps4-crashdump-dump/