PS4 officially Jail Broken!

mrcorbo said:
Preliminary Archive of marcan's talk about hacking the PS4 to run Linux.

http://dekan.cch.c3voc.de/relive//33c3/7946/index.m3u8
Click to expand...
What a machine that guy is. I learnt more about the PS4 from this video than from anything I read in any site or magazine or whatever.

PS4 is definitely not a PC despite using a x86 CPU and a Radeon GPU. The Aeolia bus, Starcha, how drivers work, the HDMI bus managed by an encoder, no hypervisor, ARM stuff, that's so interesting, especially the drivers and his exploits and so on.
 
Here's the link to the official archive of the stream: https://media.ccc.de/v/33c3-7946-console_hacking_2016

Edit to add some bullet points:

  • Path to code execution is Webkit exploit -> FreeBSD exploit -> your code here
  • Demonstration PS4 was running 4.05 firmware
  • Presentation was done entirely on the PS4 once it had booted up Gentoo Linux
  • PCIe was used as the vector to gain access to both the APU and "southbridge"
  • At the end of the demonstration, the "and one more thing" was
    starting up Steam and running Portal 2
 
Last edited:
mrcorbo said:
Here's the link to the official archive of the stream: https://media.ccc.de/v/33c3-7946-console_hacking_2016

Edit to add some bullet points:

  • Path to code execution is Webkit exploit -> FreeBSD exploit -> your code here
  • Demonstration PS4 was running 4.05 firmware
  • Presentation was done entirely on the PS4 once it had booted up Gentoo Linux
  • PCIe was used as the vector to gain access to both the APU and "southbridge"
  • At the end of the demonstration, the "and one more thing" was
    starting up Steam and running Portal 2
Click to expand...
the complaints about the AMD architecture in particular, SDMA, that has to do with latency hiding within radeon right (or rather, how graphics programmers maximize radeon GPU by accounting for the 4 cycle latency?)
 
That was really cool or bat shit insane if you are going to use his own words. Need google search if there are any videos on WII/WII U etc that they 0wned before.
 
iroboto said:
the complaints about the AMD architecture in particular, SDMA, that has to do with latency hiding within radeon right (or rather, how graphics programmers maximize radeon GPU by accounting for the 4 cycle latency?)
Click to expand...
SDMA is should be the hardware element exposed as the copy queue in DX12. What appears to be off is that the command packet parsing is off by 4 for the write operations he was trying to perform. The solution was to use something else to fill the data value he wanted to write.
These are queue commands to the device rather than GCN ISA.
Why there is a discrepancy with the SDMA processor compared to all the other microcode processors is unclear.

The PS4 is definitely going out of its way to do a number of things differently. Some of the various items that are considered broken may very well be things Sony doesn't care about, although the extra mile of complexity might be a reason why it seems Sony has so many lightly described firmware updates--while seemingly not correcting these exploits. Some of the roadblocks are areas where Sony is skipping legacy infrastructure, while others truly make me wonder what, if any, kind of vision is going into this.

The ARM SoC and its OS was not probed too much, but oddly enough it seems to be keyed into a lot of the contortions of the platform. The device abstraction, extra complications to memory indirection, and scripting interface for the HDMI controller (helped make the HDR retrofit possible?) make it look like the ARM had more Sony attention than some elements of the APU.

Perhaps it is because Sony's implementation is so readily broken that it was glossed over, but it's like the domain of the APU is supposed to plug into Sony's platform built into the southbridge, and the APU's domain is left oddly exposed with various security elements and hardware features underutilized.
If the PS5 comes out, I would wonder if the thing that stays more constant is the southbridge and its weirdness.
I keep wondering why it's implemented this way.

It's interesting that GPU's F32 ISA information was sussed out. I'm curious if that's due for a change. Nvidia has a proprietary ISA as well for its Falcon internal media cores, but it's apparently moving to RISC-V.
 
JPT said:
That was really cool or bat shit insane if you are going to use his own words. Need google search if there are any videos on WII/WII U etc that they 0wned before.
Click to expand...

You do need to check them out, for the Wii U the tightening of the security of the DVD ROM back door that was abused on the Wii is particularly note worthy, CAPS for the win :)

The PS3 video was pretty good as well.

Also the retrospective on the original Xbox security is a great watch, they detail the security from the side of the creators first and then go back and discuss from the attackers side. Security was breached in many ways so this is quite interesting. Less on Linux and drivers but this all predates failoverflow.
 
mrcorbo said:
Here's the link to the official archive of the stream: https://media.ccc.de/v/33c3-7946-console_hacking_2016

Edit to add some bullet points:

  • Path to code execution is Webkit exploit -> FreeBSD exploit -> your code here
  • Demonstration PS4 was running 4.05 firmware
  • Presentation was done entirely on the PS4 once it had booted up Gentoo Linux
  • PCIe was used as the vector to gain access to both the APU and "southbridge"
  • At the end of the demonstration, the "and one more thing" was
    starting up Steam and running Portal 2
Click to expand...

Finally got around to looking at that. Fascinating. Some of the design decisions by Sony were strange. Like why use DP output to a HDMI bridge for HDMI output rather than just directly outputting to HDMI?

Similarly with using USB for HDD access, but SATA for Optical Drive access. At first I'd assumed it was something to do with security, but surely they'd want the optical drive access to be secure as well?

Then again, as the hacker constantly reinforces, it's probably just Sony being Sony and doing things in a non-optimal fashion just because they are Sony.

Wish, someone would hack the XBO and do a similar presentation, but I'm guessing the security on XBO is significantly tougher to circumvent.

Regards,
SB
 
Silent_Buddha said:
Wish, someone would hack the XBO and do a similar presentation, but I'm guessing the security on XBO is significantly tougher to circumvent.

Regards,
SB
Click to expand...

It's not that; Xbox One is not interesting for pirates; only very few (good) titles are exclusive to the platform, in the future there will be no exclusives at all any more. So almost every game is available for piracy already, no need to hack an xbox if you can just use a cheap pc.
 
ScorpioPete said:
It's not that; Xbox One is not interesting for pirates; only very few (good) titles are exclusive to the platform, in the future there will be no exclusives at all any more. So almost every game is available for piracy already, no need to hack an xbox if you can just use a cheap pc.
Click to expand...
huh?
no. that has nothing to do with it.
They are attempting I assure you, a quick google will showcase groups working to accomplish this.
 
mrcorbo said:
Yes. All of them do since at least 2011 with the original Llano APUs, including the APU in the Xbox One/One S. That's why the choice for Sony to deliberately not use it seems so weird.
Click to expand...

It sounds bonkers, hope we get the story behind it someday.
Could be just be that the soc hdmi interface was lacking in someway and they needed a better chip to do something. IE the external chip connected to the DVI or what it was.

Also wondering they are using the same solution on the Pro....

Also hoping somebody is able to take a part the XB1 the same way PS4 got dissected.
 
JPT said:
It sounds bonkers, hope we get the story behind it someday.
Could be just be that the soc hdmi interface was lacking in someway and they needed a better chip to do something. IE the external chip connected to the DVI or what it was.

Also wondering they are using the same solution on the Pro....
Click to expand...
Reviewing the slides indicates the interface is accessible through the southbridge for the PS4, and it was stated that the limited review of the PS4 Pro didn't show any major differences.
If Sony's point for all this was that it wants full control of how an outside vendor's silicon connects to the outside world, then it would keep the Pro dependent on the southbridge. It might go so far as to change some of the particulars of the interface like it did with the (external) change to SATA 3 for the HDD, but still keep the secondary processor as the intermediary.

Also hoping somebody is able to take a part the XB1 the same way PS4 got dissected.
Click to expand...
Perhaps, although it seems possible that Microsoft cares more than Sony apparently did.
 
one thing I would be curious to see hacked is if they can replace the game the PS2 emulator is running on those few released to something unofficial, if that's even possible.

the biggest problem would be potential for people hacking in multiplayer games, in terms of widespread piracy, I have a hard time seeing it happening now, it's not as plug and play as it used to (going by the PS3 piracy) and multiplayer games are not like in PS2 days, it should be possible to ban consoles/accounts
 
I don't think the sony population would be affected by widespread piracy.
Sony's bottom line would be affected due to less purchases and therefore less licensing revenue.
Their developers and publishers would be pissed.

That's about it, but the gamers would be fine ;)
 
You must log in or register to reply here.

Similar threads

J
Network technologies for gaming - Wifi versus Ethernet *spawn
2 3
Replies
42
Views
2K
Deleted member 11852
D
P
Steam
6 7 8
Replies
150
Views
7K
Remij
R
Cyan
Raytraced Voxels? Voxlands.
Replies
11
Views
1K
Davros
D
orangpelupa
Why Nintendo Switch is the only console that officially supports Bluetooth audio?
Replies
18
Views
2K
Kise Ryota
K
L
Xbox 360 and PS3 top graphics
3 4 5
Replies
99
Views
9K
Liandry
L
Back
Top