PS4 officially Jail Broken!

Here's the link to the official archive of the stream: https://media.ccc.de/v/33c3-7946-console_hacking_2016

Edit to add some bullet points:

• Path to code execution is Webkit exploit -> FreeBSD exploit -> your code here
• Demonstration PS4 was running 4.05 firmware
• Presentation was done entirely on the PS4 once it had booted up Gentoo Linux
• PCIe was used as the vector to gain access to both the APU and "southbridge"
• At the end of the demonstration, the "and one more thing" was
  Spoiler

  starting up Steam and running Portal 2

 

the complaints about the AMD architecture in particular, SDMA, that has to do with latency hiding within radeon right (or rather, how graphics programmers maximize radeon GPU by accounting for the 4 cycle latency?)

 

That was really cool or bat shit insane if you are going to use his own words. Need google search if there are any videos on WII/WII U etc that they 0wned before.

 

SDMA is should be the hardware element exposed as the copy queue in DX12. What appears to be off is that the command packet parsing is off by 4 for the write operations he was trying to perform. The solution was to use something else to fill the data value he wanted to write.
These are queue commands to the device rather than GCN ISA.
Why there is a discrepancy with the SDMA processor compared to all the other microcode processors is unclear.

The PS4 is definitely going out of its way to do a number of things differently. Some of the various items that are considered broken may very well be things Sony doesn't care about, although the extra mile of complexity might be a reason why it seems Sony has so many lightly described firmware updates--while seemingly not correcting these exploits. Some of the roadblocks are areas where Sony is skipping legacy infrastructure, while others truly make me wonder what, if any, kind of vision is going into this.

The ARM SoC and its OS was not probed too much, but oddly enough it seems to be keyed into a lot of the contortions of the platform. The device abstraction, extra complications to memory indirection, and scripting interface for the HDMI controller (helped make the HDR retrofit possible?) make it look like the ARM had more Sony attention than some elements of the APU.

Perhaps it is because Sony's implementation is so readily broken that it was glossed over, but it's like the domain of the APU is supposed to plug into Sony's platform built into the southbridge, and the APU's domain is left oddly exposed with various security elements and hardware features underutilized.
If the PS5 comes out, I would wonder if the thing that stays more constant is the southbridge and its weirdness.
I keep wondering why it's implemented this way.

It's interesting that GPU's F32 ISA information was sussed out. I'm curious if that's due for a change. Nvidia has a proprietary ISA as well for its Falcon internal media cores, but it's apparently moving to RISC-V.

 

You do need to check them out, for the Wii U the tightening of the security of the DVD ROM back door that was abused on the Wii is particularly note worthy, CAPS for the win

The PS3 video was pretty good as well.

Also the retrospective on the original Xbox security is a great watch, they detail the security from the side of the creators first and then go back and discuss from the attackers side. Security was breached in many ways so this is quite interesting. Less on Linux and drivers but this all predates failoverflow.

 

Finally got around to looking at that. Fascinating. Some of the design decisions by Sony were strange. Like why use DP output to a HDMI bridge for HDMI output rather than just directly outputting to HDMI?

Similarly with using USB for HDD access, but SATA for Optical Drive access. At first I'd assumed it was something to do with security, but surely they'd want the optical drive access to be secure as well?

Then again, as the hacker constantly reinforces, it's probably just Sony being Sony and doing things in a non-optimal fashion just because they are Sony.

Wish, someone would hack the XBO and do a similar presentation, but I'm guessing the security on XBO is significantly tougher to circumvent.

Regards,
SB

 

So they can upgrade it to SATA in the newer PS4 and digital foundry will analyze it and basically, promote it for Sony to the techie crowds.

 

Maybe this is what allowed them to add HDR output support to all PS4's.

 

It could also have to do with the APU design; do any AMD APU's have direct HDMI output like, at all?

 

It's not that; Xbox One is not interesting for pirates; only very few (good) titles are exclusive to the platform, in the future there will be no exclusives at all any more. So almost every game is available for piracy already, no need to hack an xbox if you can just use a cheap pc.

 

huh?
no. that has nothing to do with it.
They are attempting I assure you, a quick google will showcase groups working to accomplish this.

 

Yes. All of them do since at least 2011 with the original Llano APUs, including the APU in the Xbox One/One S. That's why the choice for Sony to deliberately not use it seems so weird.

 

It sounds bonkers, hope we get the story behind it someday.
Could be just be that the soc hdmi interface was lacking in someway and they needed a better chip to do something. IE the external chip connected to the DVI or what it was.

Also wondering they are using the same solution on the Pro....

Also hoping somebody is able to take a part the XB1 the same way PS4 got dissected.

 

Reviewing the slides indicates the interface is accessible through the southbridge for the PS4, and it was stated that the limited review of the PS4 Pro didn't show any major differences.
If Sony's point for all this was that it wants full control of how an outside vendor's silicon connects to the outside world, then it would keep the Pro dependent on the southbridge. It might go so far as to change some of the particulars of the interface like it did with the (external) change to SATA 3 for the HDD, but still keep the secondary processor as the intermediary.

Perhaps, although it seems possible that Microsoft cares more than Sony apparently did.

 

It has already been hacked. Or is this related to CFW and pirate games?

 

Surely this is about perfectly legal homebrew.

 

one thing I would be curious to see hacked is if they can replace the game the PS2 emulator is running on those few released to something unofficial, if that's even possible.

the biggest problem would be potential for people hacking in multiplayer games, in terms of widespread piracy, I have a hard time seeing it happening now, it's not as plug and play as it used to (going by the PS3 piracy) and multiplayer games are not like in PS2 days, it should be possible to ban consoles/accounts

 

I don't think the sony population would be affected by widespread piracy.
Sony's bottom line would be affected due to less purchases and therefore less licensing revenue.
Their developers and publishers would be pissed.

That's about it, but the gamers would be fine