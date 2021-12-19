Recent fixes in the webKit bad_hoist addressed by the developer Sleirsgoevy they brought in the night to update pOOBs4 on the console firmware 9.00 PlayStation 4.





The exploit is now more stable during the post-exploit phase, that is, immediately after launch when trying to maintain access, increase privileges or obtain even more information.

Update: https://t.co/sqp6TR9DiU Will test / update the DNS this weekend – Al Azif (@_AlAzif) December 18, 2021

In this project it is possible to find a new implementation that tries to exploit a filesystem bug present on the 9.00 firmware of the PlayStation 4 console found during the diffing of the 9.00 and 9.03 kernels.

Note: The bug is prior to firmware 1.00, this means that all firmware between version 1.00 and 9.00 should be exploitable using the same strategy (you will still need a different user area exploit and gadget).

To jailbreak, all we have to do is visit the web page biteyourconsole.net/pOOBs4/ from the web browser of the PlayStation 4 console and connect the USB device formatted in exFAT containing the image exfathax.img .

After its activation, the exploit will allow us to execute arbitrary code as a kernel, to allow for jailbreaking and kernel-level modifications to the system.

The payload launcher runs as usual on port 9020. Side note, exploit does not work on the latest 9.03 firmware.

The following patches are applied to the kernel:

Allows RWX (read-write-execute) memory mapping (mmap / mprotect).

Syscall instructions allowed everywhere.

Dynamic resolution ( sys_dynlib_dlsym ) allowed by any process.

) allowed by any process. Custom System Call # 11 ( kexec() ) to execute arbitrary code in kernel mode.

) to execute arbitrary code in kernel mode. Allow unprivileged users to call setuid(0) correctly. It works as a health check, doubles as a privilege escalation.

correctly. It works as a health check, doubles as a privilege escalation. ( sys_dynlib_load_prx ) patch.

) patch. Disable delayed panics from sysVeri.

This exploit differs from previous exploits where they were based solely on software. Activating the vulnerability requires plugging in a specially formatted USB device at the right time.

Inside the repository you can find a file .img . The image can be written to a USB device using one of the many programs available, such as Win32DiskImager.

Note: This will erase the USB drive, make sure you select the correct drive and agree before doing this.

When the exploit is executed on the console, wait until a warning appears with “Insert USB now. do not close the dialog until notification pops, remove usb after closing it. “.

As indicated in the dialog box, insert the USB drive and wait until the “disk format not supported” notification appears, then close the warning with “OK”.

The exploit may take a minute to run and the spinning animation on the page may freeze – okay so let it continue until an error is displayed or it succeeds and the message “Awaiting payload” is displayed.

You have to insert the USB drive when the warning appears, then leave it there for a while until the PS4 storage notifications appear.

Unplugging the USB drive before a (re) boot cycle risks damaging the kernel heap on boot.

The browser may prompt you to close the page prematurely, don’t.

The loading circle may freeze while activating the webkit exploit, this means nothing.

You can replace the loader with a specific payload to load things directly instead of doing it via sockets.

This bug works on some PS5 firmware, however there is currently no known strategy to exploit it. Using this bug against the visually impaired on PS5 would not be recommended.

After activating the exploit we are going to correctly inject the desired payloads, to do so all you have to do is download the application Netcat GUI and send the first Mira charger at door 9020, then the desired payload at door 9021.

Dump a game from Blu-ray / PSN disc

Download and extract the archive payloads (3.50.9.00).zip .

. Create a text file and rename it to dumper.cfg (possibly you can download it from here), upload the file to a USB device with exFAT file system, used to dump games. To type split = 0 to dump to the folder CUSAxxxxx without splitting app and patch files. To type split = 1 to dump the app only into the folder CUSAxxxxx-app . To type split = 2 to dump only the patch into the folder CUSAxxxxx-patch . To type split = 3 to dump and split both apps and patches into different folders. You can also choose to set a different time interval before viewing notifications (by default 60 , to type 0 to disable notifications). To type shutdown = 0 to turn off the console after finishing the game dump, shutdown = 1 instead to continue the session even after performing the dump.

(possibly you can download it from here), upload the file to a USB device with exFAT file system, used to dump games. Execute the exploit and inject the payload app-dumper.bin .

. Insert the Blu-ray disc you intend to dump into the player (alternatively run the PSN title if in digital format), you can also install the game updates, they will be dumped together with the game.

Minimize the web browser (PS button), but do not close it.

Run the game you want to dump and get at least to the game menu, then minimize it (PS button).

Wait until completion. When the dump process is finished, the lights will stop flashing and the console will automatically turn off (if set in the file dumper.cfg ).

). Now turn the console back on, remove the disc and try uninstalling the game (for further testing).

Disconnect the USB device from the console and connect it to the PC, then run the tool gengp4.exe (this app you will have to get it yourself we cannot connect it here), click on File> Open , and select the directory CUSAxxxxx-APP , click on Generate .GP4 , you should get ‘Done’, then click Save .GP4 .

(this app you will have to get it yourself we cannot connect it here), click on , and select the directory , click on , you should get ‘Done’, then click . Always from gengp4.exe select directory CUSAxxxxx-PATCH , click on Generate .GP4 , you should get ‘Done’, then click Save .GP4 .

select directory , click on , you should get ‘Done’, then click . Run the program orbis-pub-gen.exe (this app you will have to get it yourself we cannot connect it here), select the folder CUSAXXXXX-APP.GP4 and click the Build button with the red arrow upside down. Once the procedure is finished, close the program.

(this app you will have to get it yourself we cannot connect it here), select the folder and click the Build button with the red arrow upside down. Once the procedure is finished, close the program. Still from the orbis-pub-gen.exe program, select the folder CUSAXXXXX-PATCH.GP4 and click the Build button with the red arrow upside down. Once the procedure is finished, close the program.

and click the Build button with the red arrow upside down. Once the procedure is finished, close the program. Now you can delete the folders CUSAXXXXX-APP And CUSAXXXXX-PATCH .

And . Open the file .gp4 In the file orbis-pub-gen.exe and create the file .pkg .

Host exploit 9.00: biteyourconsole.net/pOOBs4/

Download: Payload GoldHEN (firmware 9.00)

Download: pOOBs4 (exfathax.img)

Download: Source code pOOBs4

Source: twitter.com