sleirsgoevy
@sleirsgoevy
Followers
11,765
Following
0
Media
5
Statuses
121
Explore trending content on Musk Viewer
#Mステ
• 394828 Tweets
#Mステ
• 394828 Tweets
billie
• 285835 Tweets
CHASING THE SUN
• 131835 Tweets
Scottie
• 97954 Tweets
Valhalla
• 42825 Tweets
#のらりクラり呑もうの会
• 35886 Tweets
Louisville
• 31391 Tweets
ひーくん
• 28890 Tweets
ジュラシックワールド
• 16989 Tweets
トップバッター
• 15114 Tweets
しーちゃん
• 14549 Tweets
Mリーグ
• 12843 Tweets
Go City Go
• 12792 Tweets
ベビモン
• 11446 Tweets
NEW hair
• 10988 Tweets
佐々木朗希
• 10591 Tweets
西洸人くん
• 10402 Tweets
#大倉忠義オンライン飲み会
• 10120 Tweets
BACK TO THE BEGINNING
• 10006 Tweets
Mira for 7.55.
JB 7.55 with patches by AlAzif and ChendoChap.
178
199
1K
I can confirm that this exploit indeed works on 7.55 without any changes. Still no Mira/HEN though.
98
103
934
Webkit PoC for 9.00, achieves arbitrary read/write and addrof/fakeobj
93
159
937
7.50, expects payload on 9020/tcp. Applied patches: mmap, mprotect, syscall everywhere, kexec, delayed panics. Note: there is no Mira/HEN for 7.50 yet!
142
151
891
Some valid 7.02 addresses:
0x200eb00d8
0x200f300d8
0x200fb00d8
0x2011100d8
The success rate is about 10% for the last one. Unfortunately the exploit then crashes in the critical section in leakJSC. Will now investigate how to fix it.
91
61
630
Probably the last standalone update for 7.5x. Will set up a proper host soon.
69
72
607
Got a working exploit for FreeBSD 9 using the new SOCK_RAW vulnerability.
73
96
581
Partial reimplementation of BD-JB (without kernel part):
ISO image:
Built with "PS3 BD-J DevKit":
55
126
596
To clarify: I am NOT dead, I am NOT in Ukraine, and I have NOT been recruited into the army. Everyone telling the opposite is a detractor.
57
31
559
Another FreeBSD PoC, now utilizing TheFlow's hint. Does not do any zone drains, so should be more portable.
Fun fact: it **seems** that the function tweeted by TheFlow does not need to be buggy. A patched one would also do its job.
59
93
508
Fix for the crash in leakJSC():
after debug_log("[+] Got a relative read"); insert
var tmp_spray = {};
for(var i = 0; i < 100000; i++)
tmp_spray['Z'.repeat(8 * 2 * 8 - 5 - LENGTH_STRINGIMPL) + (''+i).padStart(5, '0')] = 0x1337;
63
44
460
BD-JB for PS5 with payload support (port 9019).
32
94
439
Remove line 525 in jb.c & recompile to fix crash when forking webkit.
32
34
428
So my 9.00 host is finally up:
Use with caution. Web activator Soon™
36
40
430
PS5 payload loader host for 4.03 now up on . Accepts payloads in PLD format (.bin), ELF payloads not supported.
63
90
436
A crazy idea for "PS4 modchip" makers (that just bundle a wifi hotspot with preloaded hosts into an esp8266 chip): make your chips also emulate a usb connection and insert/remove the fake drive at the right time. This way your stuff will be finally of some use.
26
34
419
Seems that I've finally caught the post-exploit instability issue some people discussed. Here it is:
(You will also want to diff that to the original poc, there are some other changes)
39
34
370
PoC for the FontFaceSet vulnerability, which was wrongly classified as a use-after-free. Works only on PC for now. Please check if this prints "failed to guess..." for you. Especially interested in reports from 9.00.
47
56
372
27
38
344
Added 7.50-7.55 support to the Hamachi port. Not tested ingame.
31
43
335
Seems that Mega has not updated the ISO link for the new BD-JB update. Here is the new one:
35
54
345
Hmm, have I really got unblocked?
If so, here is a thing I worked on while blocked:
PoC X86->ARM, passes tests from
55
26
328
The porting tool for ps5-kstuff is now complete. If your firmware is not supported yet, please follow [this guide]() and dump the offsets. ESPECIALLY if you're on some weird firmware like 3.10 or 4.02.
33
57
340
BTW just finished another something-to-browser port. Remote package installation over NetCat! (Well, not actually...)
Source code:
Windows EXE:
Linux users, build from source.
23
42
291
Found a TYPO in the 672.html page in my ps4-web-activator repository. Now hopefully fixed.
16
18
279
22
50
271
Updated payload server, now also cleans up after exploit.
18
55
273
Straight-forward reimplementation.
13
40
265
Finally seem to have fixed spurious crashes in the web activator.
P.S. Credits: charlyzard for the original implementation.
17
34
261
Just got reminded that I forgot to upload fixed package installer binary. Here it is:
34
27
258
I can report that X86 trap flag works as usual in PS5's executable-only memory. There is no stupid "anti-debug protection" here.
19
25
251
"Mira not working" turned out to be ENTIRELY my own fault. I accidentially pointed the kexec syscall to "jmp rsi" instead of "jmp [rsi]". Regexe match groups do not play well with AT&T notation...
P.S. Still needs checking whether homebrew will run...
30
17
237
bgft-sender.exe updated for GoldHEN loader.
13
40
245
Wait, what? Are they really storing kernel pointers inside an mbuf's data area??
12
26
238
Added code for truly arbitrary function call. The PoC now lists /, which is not possible from Java. ISO:
27
43
239
If you have a rooted Android, you can try using [these scripts]( ) to emulate plugging/unplugging the drive. Tested on Samsung A6.
16
31
232
21
34
232
TL;DW: Probably a PS-specific crasher, unlikely to be exploitable
18
27
222
ps4-hamachi () now supports FW 7.02. NOTICE: NOT an official product by LogMeIn!
18
30
205
Added Base64-encoded PSN ID to the web activator. Necessary for Chiaki activation.
14
20
210
Just in case anybody still cares:
HTMLTextAreaElement address statistics on 7.02. key = address in decimal, value = number of occurrencies per 30 runs.
Extracted using a debugger with HEN already activated, not via the exploit, so no survivorship bias.
13
25
194
Unfortunately, type-confusing these pointers does not seem to be possible, due to it using a special mbuf type (MT_CONTROL). It may be possible to turn it into UAF on struct file, but that is also zone-allocated, and most file destructors put it into invalid state.
26
12
182
@SpecterDev
@tihmstar
select (f_poll) is a better target than ioctl (f_ioctl) imo. It only checks that the refcount is nonzero, while ioctl also checks that the mode allows either read or write.
7
8
186
@SpecterDev
Regarding zone reclaim on PS4, in this specific exploit the PS4 (for some weird reason) allocates even small packets in mbufs with clusters, i.e. the mbuf_packet zone, and to drain that you need to exhaust all clusters. That is the only way to do it, uma_reclaim does not work.
9
8
171
Hamachi ready:
P.S. IDK whether PS4 games will work through it. Only tested with the web browser. At least the console can still be pinged when running a game.
6
34
163
Added a log dumping function to my Hamachi frontend. If you encounter mysterious errors, please attach the dumped logs to your bug report.
7
10
158
Fixed "web lb" mode being broken on the Hamachi port. This fixes connection problems on some networks.
9
26
154
@Goukifafa
The kernel exploit just completed. Now what's left is just to put mira on top of it.
11
12
135
Regarding the new exploit disclosed at BHEU: could anybody run this () or equivalent code on 5.05/other non-6.XX firmware and send the logs to me? The pattern is obvious, but I'd like to know what differences to expect and what to brute for.
6
22
124
You can verify the found offsets by running the script test_offsets.py with the same arguments. It should launch a ps5-kstuff that can run fPKG files.If that works, please submit your JSON file either [here](),or to the "testing" channel on PS5 R&D Discord.
6
19
133
Once again, for those who didn't get the point. This link () should be visited from your PS4 which is on **5.05**. It is not a new exploit, all it does is collect some statistics that could be useful for porting the BHEU exploit to 7.02.
18
14
119
@_AlAzif
It's not just dlsym. The payloads uses dlopen with just library name, not full path, and that fails.
1
5
115
5
11
108
P.S. You can check the list of currently supported firmwares here:
4
14
98
EDIT: It does not. No debug settings, and running any application results in a panic.
4
6
87
You can also try using "DriveDroid" or "USB Mountr" apps, whatever one works for you.
3
3
80
@_AlAzif
Just tried to run the 7.02 Mira build. And you guessed it, it does not run. I can't even see the "waiting for payloads" popup. [Probably the boot patches are the cause.]
10
8
78
UPDATE: I made a one-click 5.05 version of the code from previous post. Cannot test it though:(
P.S. Please do not post-scan/exploit/DDoS the server. I hope it is secure, but please do not abuse.
P.P.S. The logs will be sent unencrypted.
4
10
71
Added a few debug alerts. They should give some clue on why it is failing to collect data. If it failed for you, please try visiting the link again.
3
6
70
In case somebody else got confused: this is NOT a 7.02 webkit exploit.
6
3
59
@PS4Trainer
I identified the problem with WebRTE on my exploit host. Your payload expects being loaded at a constant address (possibly 0x926200000), i.e. is not PIE, but MiraLoader maps the payload at a system-provided address, so it only works with PIE payloads.
3
7
61
Я конечно максимально далёк от политики, но в это воскресенье некто ВВП пойдёт продлеваться ещё на 6 лет. Если вам тоже кажется, что это плохая идея -- идите на участки и голосуйте за любого другого кандидата. Или ставьте несколько галочек: порча бюллетеня -- голос против всех.
12
5
62
Just fixed broadcasts in the PS4 Hamachi port. Call of Duty should now technically work, but the framerate is unplayable.
5
6
49
@Goukifafa
contains the combined jb+netcat payload. You can try your luck with sending payloads to it, but Mira/HEN are not working yet.
2
7
43
@notzecoxao
Как померять высоту здания с помощью барометра? Бросить его с крыши и засечь, сколько он будет падать.
3
2
46
@notnotzecoxao
Or even better, run the porting tool and contribute the offsets for ps5-kstuff.
3
4
47
@Louzi19881279
I think no valuable improvement will be done unless a new bug surfaces (at least an infoleak).
3
4
40
@rasheed_daley
This one doesn't work, but it will once ported. It should say that it failed to guess.
2
2
39
@notzecoxao
Should be possible to chain with a SELF dumper. I've verified that mapping itself works.
2
2
34
Something very weird is happening. I do see requests to static stuff in the server logs, but no POST requests with actual logs. Probably the code fails somewhere. Any chance to get a screenshot with error?
P.S. You do not need to activate any HEN first. At least I think so.
1
2
33
@_AlAzif
The way it has been added is wrong. It is now broken due to exploit.js being minified. Please upload a non-minified version of exploit.js instead.
Also the success rate is more like 30%, 10 retries is my personal worst-case.
10
0
34
1
0
28
@Harsh83106577
No, I have 6.72 data myself. What i want to see is how 5.05 is different from 6.72, to get an insight into what how it changes between firmwares and what to expect on 7.02.
1
0
17
@rohanmannan
@notnotzecoxao
This is for the PS5 versions 3.00 to 4.51 that have a kernel exploit.
1
0
17
@AbubakarShnk
It does not need to. It will just need to replay the pre-created image, no need to understand its inner structure.
1
0
14
@AR_JRIDI
This is not an exploit. I am trying to collect statistics about how the unknown address changes between firmwares. I have the 6.72 data myself and am trying to collect some logs from 5.05 owners.
1
0
10
0
2
8