fail0verflow: Using HDMI-CEC to get code exec on PS4 southbridge

PS4 Aux Hax 4: Belize via CEC
This post describes another way to attain code execution on Aeolia (actually, the southbridge revision on PS4 Pro which was used in this case is named “Belize”). This exploit differs from the previously documented method as it does not have the prerequisite of gaining control of the APU. Additionally it is fairly generic and therefor workable on all currently released hardware and software versions of PS4.[…]

ShofEL2, a Tegra X1 and Nintendo Switch exploit


ShofEL2 responsible disclosure window ends April 25th

Re: and

Nintendo’s new KDE Linux tablet :-)


I have never once considered purchasing a Nintendo Switch …until now. 🙂


Dumping the Playstation4 kernel

Dumping a PS4 Kernel in “Only” 6 Days

Filed under ps4 vulnerability exploit

What if a secure device had an attacker-viewable crashdump format?
What if that same device allowed putting arbitrary memory into the crashdump?
Amazingly, the ps4 tempted fate by supporting both of these features!
Let’s see how that turned out…
Crashdumps on PS4

The crash handling infrastructure of the ps4 kernel is interesting for 2 main reasons:
It is ps4-specific code (likely to be buggy)
If the crashdump can be decoded, we will gain very useful info for finding bugs and creating reliable exploits

On a normal FreeBSD system, a kernel panic will create a dump by calling kern_reboot with the RB_DUMP flag. This then leads to doadump being called, which will dump a rather tiny amount of information about the kernel image itself to some storage device. On ps4, the replacement for doadump is mdbg_run_dump, which can be called from panic or directly from trap_fatal. The amount of information stored into the dump is gigantic by comparison – kernel state for all process, thread, and vm objects are included, along with some metadata about loaded libraries. Other obvious changes from the vanilla FreeBSD method are that the mdbg_run_dump encodes data recorded into the dump on a field-by-field basis and additionally encrypts the resulting buffer before finally storing it to disk.[…]