Specter
@SpecterDev
Followers
37K
Following
2K
Media
59
Statuses
1K
Interested in Security and Exploit Development. Nano is the one true text editor.
Joined August 2015
My @dayzerosec co-host zi and I are giving our 1st training @ with a focus on attacking security hypervisors! Trainings are something we've wanted to do for a while. Take a look and share to those who would be interested :).
5
36
207
Here it is. Thanks to everyone mentioned earlier. Be warned stability is not great, something to be improved on for sure.
90
341
2K
I'm releasing the WebKit code execution RCE I spoke of yesterday targetting PS4 6.20 firmware. Gadgets and potentially the code execution strategy will need to be adjusted for lower firmwares. Have fun :).
239
308
1K
The 5.05 kernel exploit stack is now released! It includes the kexploit and autolaunches homebrew patches and mira. On subsequent page loads it listens for payloads. Source is up here
270
421
1K
Within the next few weeks there will be a PS4 5.05 full stack release including tools for homebrew development. Some other tools will be dropped as time goes on. Don’t update your <= 5.05 consoles if you care about homebrew. Hope to see cool stuff soon :).
204
299
1K
For those interested in a webkit PS5 kernel exploit implementation, it's on track to be ready soon - stay on 4.03 :). Still wanna do some cleanup and such but a lot of the major work is done. Obv without @theflow0 this wouldn't be possible :P. 1/2
78
194
976
9.00 is up. Again, grats to ChendoChap, fast work and great exploit (and @sleirsgoevy for webkit).
80
155
841
Took me a bit longer than I'd hoped - but the PS4 5.05 Kernel Exploit writeup has now been published :). If you have any suggestions for clarity or corrections, please add the issue to the GitHub repo or reply them to this tweet.
135
227
817
Feels great when an idea can finally be tested and works out after like a year :). Shouts to ChendoChap for working out the ROP chain. Protip: staying < 3.00 is a good idea.
53
97
793
The 6.50 FW update seems to have patched a WebKit exploit I wrote up a month or so ago. I may drop the exploit soon so if you're a dev that wants to play with WebKit don't update :).
130
118
722
PS5 Kernel Exploit v1.01. Some recent changes I made + Chendo's original stability improvements have stability high now at about 80-90%. There's also some other nice improvements + a WIP ELF loader :).
47
137
718
Hope everyone had a Merry Christmas! Here's the 4.05 kernel exploit, fully implemented. Enjoy! Write-up coming soon!
84
345
687
The PS4 4.55/FreeBSD BPF kernel exploit writeup is now up on my GitHub repo! The bug is present on any system running FreeBSD such that you have privileges (which we did on PS4). Could be used on other systems for root to ring0 code execution.
41
293
687
The PS4 toolchain BETA has dropped! Massive thanks to all the effort by everyone. Shouts @CrazyVoidPS4 @kd_tech_ @m4xton @flat_z and anyone else I may have missed! This took months of effort from all and it's awesome to be able to finally share it.
97
99
669
ChendoChap released a PS4 exploit implementation of ipv6 for firmwares 5.05 - 6.72, recommend checking it out :D might be more stable than current implementations where it's hand-written ROP.
65
158
652
After many months of work in collaboration with @diwidog and @CrazyVoidPS4 w/ help from @flat_z, we have a hello world homebrew app running on the PS4 built with a custom toolchain / non-sony SDK! Still work to be done, but this is a big step for homebrew.
79
117
624
I've published the repo for Byepervisor (we love named vulns out here). Contains exploit implementation for two PS5 hypervisor bugs for 2.xx and lower. Slides from the talk + vod should hopefully be published soon.
42
126
661
Seems homebrew built with the OpenOrbis PS4 Toolchain works out of the box on 6.72 with no changes needed from 5.05 (unless you do kernel stuff in your homebrew which need offsets ported). Happy homebrew dev :).
52
74
619
I've published a webkit implementation of UMTX exploit for PS5 on 2.xx firmwares. Hoping to add support for 1.xx firmwares soon, higher firmwares will take some changes to make it work. See README for details as always.
67
123
640
PPPoE bug patch in PS4. As can be seen, patched in 9.03 on the right. Probably not worth attempting to exploit this on PS4 as it won't move firmware forward. Also probably would end up less stable than exFAT exploit because mbuf zone corruption kinda sucks.
65
87
586
Seeing a bit of confusion on 9.03 - this will *not* work on 9.03, it's patched. Only 9.00 and below.
60
36
552
A few notes on the 5.05 exploit: . 1) The page will crash after the kernel exploit successfully runs, this is normal.2) First load after successful exploitation will autoload HEN and Mira (can get klog by nc [ps4 ip] 9998.3) Subsequent loads go to the usual payload launcher.
61
110
528
Please don't donate to people rehosting sleirsgoevy's exploit who add their own donation links on there (esp the ones who don't make it clear it's not actually going to him). People really out here adding their own donation links to other people's exploits.
32
75
524
Everyone be out here like "it'd be cool to get a ps5 exploit/jailbreak" and I'm here like "it'd be cool to get a ps5".
37
36
535
PS4 Toolchain at it's current stage can now support video out, audio out, freetype, and full libc support. This is a video demonstrating all of these pulled directly from the PS4, built without using any Sony SDK material :D
35
107
513
Pushed v1.2, exploit's been updated with an implementation that works on 3.xx-5.xx (heap spray go brrr), also some support for other misc low fw. ELF loader and payloads will not work on 5.00+ for a while due to dlsym changes. Payload SDK needs changes.
64
80
539
Win. Not winning super often, but with @tihmstar's tips + slow CPU on the PS4 I think it'll be more stable with some work.
21
57
492
I've published my writeup of the PS4 4.05 Kernel Exploit! Please feel free to send corrections to me if you find any errors :)
19
224
474
We've released a PS5 SDK (primarily for building payloads atm). It resolves basic libkernel/libc stuff and has some kernel hacking helpers. You will need latest version of WebKit+Kernel chain for ELF loader updates. As always, contribution appreciated.
17
93
451
I've published a write-up on reversing and analyzing Samsung's H-Arx hypervisor architecture for Exynos devices, which has had a lot of changes in recent years and pretty interesting design. Hope you all enjoy :).
3
96
458
Since I've seen a lot of ppl asking about it, theflow's latest RCE won't easily be adapted to PS5. PS4 is much weaker in terms of mitigations which played a part in allowing a remote exploit w/o userland code execution. PS5 is different. SMAP+CFI make this much harder to do. 1/2.
25
48
427
Want to clear some things up that are confusing some people. Please don't donate to our streams thinking you're "investing" in an exploit release or something, only donate if you enjoy the streams and want to. We're streaming the research because it's educational and interesting.
29
38
399
I cleaned up my kernel exploit POC for the IP6 FreeBSD bug. If anyone wants to play with it I put it up. Mostly it's a reference for when @tihmstar and I get around to the PS4 port, so I didn't tweak stability a lot for BSD VM, but timings can be tweaked.
14
73
379
Was hoping to get exfat bug working but the exploit scenario on PS5 is much tougher than PS4. Might still be possible to find a way but a lot of work will need to be put into finding a viable path. But at least the userland portion is out there so it can be attempted/tested :P.
We've released a small writeup and some code for userland exec on PS5. DNS redirection to https works.
12
44
363
I just fixed a performance bug in create-eboot in the toolchain which resulted in a performance boost of 7800%. this is probably the happiest debugging moment I've ever had.
16
25
357
I'll do a stream in about 15 minutes w/ @tihmstar looking at the new new IPV6 bug and exploiting PS4 (first on 5.05 then moving up after). Probably the first of multiple streams.
14
41
354
Released payload source for decrypting PS5 SELFs. Read notes in README as they're fairly important, will also need to pull latest PS5SDK changes to build it. It's not perfect and may hang/freeze due to not being able to do proper locking.
12
83
368
@ps4_hacking @Znullptr Very stable, ChendoChap wrote an excellent exploit here, it's near the stability of 5.05. It takes a bit more effort than previous exploits to do but it's not a big problem since it's so stable.
22
36
335
Not sure how useful it'll be to others out there, but I cleaned up and open sourced the kernel hooking payload I wrote up for the streams. It's a minimal payload so you don't have to run a daemon, handy for exploit debugging. Excuse it's nasty hacks.
20
40
332
big breakthrough discovered, by allocating a bunch of memory you can trigger out of memory, I cant believe sony wont pay for this novel research.
Someone modified my code idk what he did but he just made it trigger an error everytime it's a system error at that it seems like he's trying to make it copy a payload.bin ..This might be a first for Sony an exploit that releases for the latest frimware.
19
31
350
Mira is already ported for enabling homebrew, loader and ELF can be found here Loader -> port 9020 on payload page.ELF -> port 9021.
18
40
310
I've published the 4.55 WebKit exploit write-up for the "setAttributeNodeNS()" bug! As always, let me know if you find any mistakes :).
16
125
319
Published part 2 of the AMD PSP reversing stuff. This one focuses on the Crypto Co-Processor (CCP) and looking at the system for loading firmware and decrypting it.
8
77
317
In my presentation @hardwear_io I talked about how underestimated data-only attacks can be. Here's an example: decrypting system files by sending messages to the PSP with just kernel arb. read/write :)
4
42
307
Put out a blog post on some reversing I've been doing on the side of the AMD Platform Security Processor / PSP. Part 1 is an overview of the design and memory-mapped I/O (MMIO), part 2 will be on the Crypto Co-Processor MMIO.
8
72
307
Thanks to some RE work by ChendoChap, repo should now have support for 4.50. If you're on that fw give it a try. If you're on lower, you should probably stay lower :P.
25
48
296
Very nice, I do still want to see if the zone reclaim strategy is possible on PS4 though, for potential future exploits if nothing else :).
Another FreeBSD PoC, now utilizing TheFlow's hint. Does not do any zone drains, so should be more portable. Fun fact: it **seems** that the function tweeted by TheFlow does not need to be buggy. A patched one would also do its job.
19
20
282
Slides
I've published the repo for Byepervisor (we love named vulns out here). Contains exploit implementation for two PS5 hypervisor bugs for 2.xx and lower. Slides from the talk + vod should hopefully be published soon.
9
53
295
PS4 toolchain v0.5 is out! Includes stub modules to avoid breaking games, SDL2, C++ threading and synchronization, and a big bag of bug fixes. More in the changelog. Recommend updating your Mira version and using the updated VS templates.
17
46
272
I've just put out 5 videos on an overview of the toolchain and tutorials on how to do various things. 3 more are coming in a few days time.
23
55
274
Look at that jump cut, obviously fake. the specter guy said it was to censor the mac address but really that's just an excuse who cares about mac addresses anyway.
18
17
278
Just to clarify I won't be dropping new exploits/bugs it's mostly a reversing-focused talk and talks about exploitation techniques/mitigations on a whole :P.
PS5: Upcoming PS5 Security talk by SpecterDev, spreads new rumors of a Hypervisor exploit
24
19
274
I laugh at people who call researchers who report to sony's H1 bounty "traitors". Imagine thinking that a researcher should effectively throw away 10's of thousands of dollars to drop a 0d for a scene comprised of 98% piracy and like 2% homebrew. 1/2.
40
20
267
Seems we're ok - it was a bad UART connection. Seems if you have UART enabled and the data can't be sent, the system hangs indefinitely when booting. Silly code but doubtful Sony would test for faulty UART connection in QA :D. PS4 should be good for tuesday for more punishment.
19
18
250
Kind of wild that sony doesn't seem to care about anyone else in the BSD ecosystem to upstream vuln fixes and hoards them so they don't get n-day'd. I'm obviously biased but it's still something I'd be kinda pissed about if I was in the BSD community.
confirmed by flatz that 8.00 patches this bug.
17
24
265
Been seeing people criticize the progress of Mira. If you think it's development is taking too long - find an open issue, fork the repo, and contribute - it's open source after all! If you don't want to contribute that's fine, but don't make unhelpful comments.
26
17
233
Just wanna temper some expectations; if/when the IPV6 exploit is released, post-exploitation is not as easy as PS4. Homebrew will take a lot of effort. XOM prevents dumping kernel and HV prevents patching/hooking kernel. It'll mostly only really be useful for devs.
7
20
238
Seeing some people curious about firmware (4.03/4.50) with the webkit/kernel chain. From what I know webkit exploit should work on 4.50 (haven't tested myself), but you'd need to bruteforce ROP gadgets or dump the modules with bd-j exploit. I did 4.03 as I had chendo's gadgets.
7
27
232
From what I'm seeing it seems 5.05 and 5.07 (a rare firmware) webkit and kernel binaries may be identical, so release should work on both :).
18
38
224
There's also a lot of people who seem to misunderstand where a lot of instability comes from. On 7.0x+ a lot of the instability comes from the webkit exploit because of the ASLR bruteforce. Seen a fair share of people unfairly attributing instability to @sleirsgoevy.
Same people who were saying yesterday they'd be fine with a 1:100 success rate are bitching on day one about the success rate. And people are wondering why I'm holding off on adding it to the DNS. .
16
24
229
I wonder if any of the people taking shots at @qwertyoruiopz saying he doesn’t contribute to the scene realize:. 1. He assisted with 1.76 dlclose.2. The bpf kernel exploit (4.55) is his bug.3. He’s assisted devs such as myself on many occasions. He’s contributed more than most :>.
33
33
224
I've been working on porting and smoothly integrating SDL into the PS4 toolchain for v0.5 based on @Znullptr's initial port, and after many hours and noob game dev pitfalls, I have a cool little game :D (recorded from the PS4)
14
12
219
I've done a little write-up about the PS4 4.0x exploit. Those more knowledgeable feel free to correct my mistakes :)
10
128
227
Here's a roadmap on projected tools and such for homebrew development on the PS4. Green = done, Yellow = in progress, Red = not started.
17
49
221
XOM also plays a role, even if CFI were a non-issue, you can't easily get gadgets to ROP with either. It might not be impossible but a new strategy would be needed and you'd need to go for R/W. You'd also likely need userland code exec. I wouldn't expect anything soon. 2/2.
15
15
224
v0.3 of the PS4 toolchain has dropped, includes MUSL, debugging info / section table support for OELFs, and various bug fixes.
19
51
214
Relative relocations should work now in the ELF loader of the latest PS5 webkit-based exploit chain. Build scripts and such have also been updated in PS5SDK.
14
47
219
I'm gonna debunk these "devs are waiting for X game to drop another jailbreak" theories with one simple fact: none of us care about piracy. If I want to play X game, I'll buy it and play it on my main PS4.
57
20
211
I've published a write-up on the Android Binder use-after-free kernel bug that p0 discovered recently affected the Pixel 2 and Galaxy S7/S8/S9. It goes into technical details of how an arbitrary read/write is established :).
6
61
213
Time to pack it in everyone, sorry to say but security research is over.
17
13
209
I see some people voicing stupid comments like "why didn't you release this sooner" and "why not release the payload" to @flat_z, please keep in mind this work took him *MONTHS* and he did it for *FREE*, so nobody has any right to complain.
29
21
202
I think I'm going to try to focus efforts on fixing the suspend/wakeup issues with Mira now that I have a bit more time, as they're quite annoying.
27
11
197
Almost forgot to include js_shellcode.py - my Python script to convert payloads to shellcode - you'll need to use this if you want to update Mira/HEN (and reintegrate) or add a custom payload to auto launch. Usage: python js_shellcode.py [.bin] code_addr.
12
28
199
@theflow0 Also shouts to @Znullptr, chendochap, @sleirsgoevy, @psxdev, @flat_z, @notzecoxao, @SocraticBliss 2/2.
21
13
196
Ya know, when the PS5 is rebooting from a panic and it spins for 5 minutes because it's firewall'd waiting to connect to reporting servers, I forget I even turned it back on most of the time until like 15-30min later.
6
12
196
Just to put this out there - I know some are having issues with the system black screening when rebooting out of sleep mode, though I believe this is an issue with Mira, not the exploit itself. It's on the to-do list. Hold power button down for ~10s to force shutdown and reboot.
21
43
182
I'm gonna do a stream in about 5-10 minutes reversing some AMD PSP stuff and also just chilling discussing summer stuff.
5
25
192
A few days ago I finally started working on the Guitar Hero clone engine that I've been wanting to do for so long. Partially for fun/learning, partially because I want to port it to homebrew for the PS4/Switch eventually. I now have the highway + notes rendering at low-level :)
17
11
179
I wrote a blog post on some of the interesting challenges I encountered porting MUSL to PS4, including that weird FreeBSD syscall patch which clears R8-R10 on sysret.
17
30
175
0A0E5C02B1422D2E3DAE563CED69E8C3F529195B63F97FC5E42C6A699940A307 :).
45
26
168
Toolchain v0.2 has now released, includes MacOS support (thanks to @lord_friky) and fixes for building libraries and many other bug fixes (thanks to @3226_2143). Release details has full patch notes.
12
37
170
PSA: Please stop mass tagging people, it never yields the response you want, and it can get a bit annoying when so many people start doing it :(.
40
7
167
Also published v1.02 for the exploit chain which has necessary improvements to the ELF loader.
8
26
166
@grantstern @pewdiepie As if he has control over what people say on the other side of the world you ridiculous person.
1
0
157
For all the C++-ers out there, here's release v0.4 of the PS4 toolchain, which adds libcxx support for building C++ homebrew. Also features a fancy new windows installer!.
9
37
159
As an add-on the exploit in question isn't like the ConcatMemcpy one that was posted a few months ago - that wasn't a complete exploit, only an infoleak. The one that was patched granted code execution in userland.
15
11
163
Would like to pose a thought to those who feel we should be encouraging piracy as devs: When really shitty mechanisms are thrown into games that make it P2W (EA Battlefront II) - do you think piracy will make this better going forward? It'll just encourage more micro-tx schemes.
34
19
156
Maybe. possibly. conceivably!.
13
18
162