Hacker claims PlayStation 4 jailbreak via FreeBSD kernel exploit
Mon 14 Dec 2015
A hacker has claimed to have broken Sony’s protection over content on the PlayStation 4 console. GitHub user Cturt describes himself as a ‘C programmer interested in exploits and reverse engineering’ who also ‘dabbles in game design and web development’, and posted news of his claim to a breakthrough on his Twitter account at the weekend:
Just broke WebKit process out of a FreeBSD jail (cred->cr_prison = &prison0). Guess you could say the PS4 is now officially “jailbroken” 😛
The background to the exploit is thoroughly documented with this very long post by CTurt at his GitHub site, and he has also uploaded what he describes as an ‘Open source SDK’ for the PS4 at the code-repository section of his account.
The exploit permits RAM dumping from other processes and the installation of custom firmware which would allow applications not approved by Sony to be run on the machine. The jailbreak, if such it is, is said currently to run only on firmware version 1.76, but is capable of being altered to achieve the same breakout from more recent firmware iterations.
The practical effect of the hack is to potentially enable the playing of pirated content, such as duplicated videogames, on the PS4. Additionally it could open the path to home-brewed apps which would never have got past the Sony firewall, such as Popcorn-time-style video streaming or the accessing of APIs to services which have reached no PS4 agreements with Sony.
Apparently the key to the jailbreak is to un-sandbox a WebKit process from the FreeBSD core of the PS4 operating system, Orbis OS. Of the similarities between the Unix-like FreeBSD and the Sony proprietary OS, TCurt writes: ‘the PS4’s Orbis OS is based on FreeBSD, just like the PS3’s OS was (with parts of NetBSD as well); but as well as FreeBSD 9.0, other noticable software used includes Mono VM, and WebKit.’
TCurt notes that the version of WebKit utilised in the hacked system is vulnerable to the CVE-2012-3748 Heap Buffer Overflow vulnerability originally identified as putting Apple’s Safari 6.0.1 web browser, iOS6.0 and OSX10.7/8 at risk. Effectively the vulnerability has traversed operating systems because of the popularity of the webkit browser which underpins Safari, and which traditionally has been attacked for other reasons than the hunt for a PS4 vulnerability.
The exploit works by hijacking launched processes which have already passed Sony’s Data Execution Prevention (DEP) safeguards and are ‘cleared’ to run, even though they were initially launched to achieve a different task entirely. Once the ‘carded’ processes are clear, Return Oriented Programming (ROP) techniques are used to repurpose them. Cturt observes ‘Think of ROP as writing a new chapter to a book, using only words that have appeared at the end of sentences in the previous chapters. ‘