Dumping the Playstation4 kernel

Dumping a PS4 Kernel in “Only” 6 Days

Filed under ps4 vulnerability exploit

What if a secure device had an attacker-viewable crashdump format?
What if that same device allowed putting arbitrary memory into the crashdump?
Amazingly, the ps4 tempted fate by supporting both of these features!
Let’s see how that turned out…
Crashdumps on PS4

The crash handling infrastructure of the ps4 kernel is interesting for 2 main reasons:
It is ps4-specific code (likely to be buggy)
If the crashdump can be decoded, we will gain very useful info for finding bugs and creating reliable exploits

On a normal FreeBSD system, a kernel panic will create a dump by calling kern_reboot with the RB_DUMP flag. This then leads to doadump being called, which will dump a rather tiny amount of information about the kernel image itself to some storage device. On ps4, the replacement for doadump is mdbg_run_dump, which can be called from panic or directly from trap_fatal. The amount of information stored into the dump is gigantic by comparison – kernel state for all process, thread, and vm objects are included, along with some metadata about loaded libraries. Other obvious changes from the vanilla FreeBSD method are that the mdbg_run_dump encodes data recorded into the dump on a field-by-field basis and additionally encrypts the resulting buffer before finally storing it to disk.[…]

https://fail0verflow.com/blog/2017/ps4-crashdump-dump/

 

ps4-namedobj-exploit: Playstation 4 Kernel Exploit

https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/

https://github.com/Cryptogenic/PS4-4.05-Kernel-Exploit

https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/%22NamedObj%22%204.05%20Kernel%20Exploit%20Writeup.md

A fully implemented kernel exploit for the PS4 on 4.05FW.  In this project you will find a full implementation of the “namedobj” kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, does not contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port 9020 and will execute them upon receival.