(adsbygoogle = window.adsbygoogle || []).push({}); Hello NextGenUpdate, yesterday, a user named 5lipper, has now added extra support for kaslr on PS4 for firmwares: 3.55, 4.00, and 4.01. If you find it interesting, and useful. They have added it onto fail0verflow's PS4 Kexec GitHub.

To find it and use it, click here: You must login or register to view this content.



--Makefile--

    @@ -1,11 +1,8 @@

-ifdef DDO_NOT_REMAP_RWX

-DO_NOT_REMAP_RWX := -DDO_NOT_REMAP_RWX

-endif

-

-CFLAGS := -march=btver2 -masm=intel -std=gnu11 -ffreestanding -fno-common \

+CFLAGS=$(CFLAG)

+CFLAGS += -march=btver2 -masm=intel -std=gnu11 -ffreestanding -fno-common \

 	-fPIC -fomit-frame-pointer -nostdlib -nostdinc \

 	-fno-asynchronous-unwind-tables \

-	-Os -Wall -Werror -Wl,--build-id=none,-T,kexec.ld,--nmagic $(DO_NOT_REMAP_RWX)

+	-Os -Wall -Werror -Wl,--build-id=none,-T,kexec.ld,--nmagic

 

 SOURCES := kernel.c kexec.c linux_boot.c linux_thunk.S uart.c firmware.c

---

--README.md--

    @@ -34,6 +34,14 @@ You may pass something other than NULL as `early_printf`. In that case, that

 function will be used for debug output during early symbol resolution, before

 printf is available.

 

+Since PS4 3.55(?), KASLR(Kernel Address Space Layout Randomization) is

+enabled by default, symtab also disappears in newer kernel, we have to

+hardcode offsets for some symbols. Currently we use the `early_printf`

+given by user to caculate the base address of kernel, then relocate all the

+symbols from the kernel base. You could enable this feature like this:

+

+	make CFLAG='-DPS4_4_00 -DKASLR -DNO_SYMTAB'

+

 If you do not want to call the syscall from userspace, you can pass the address

 of a function pointer as `sys_kexec_ptr`. `kexec_init` will write to it the

 address of `sys_kexec`, so you can invoke it manually (see kexec.h for

---

--firmware.c--

    @@ -109,7 +109,7 @@ ssize_t firmware_extract(void *dest)

     u8 *p = dest;

 

     // Yeah, this calls it Starsha... Liverpool, Starsha, ThebeJ, whatever.

-    struct fw_info_t *info = kernel_resolve("Starsha_UcodeInfo");

+    struct fw_info_t *info = kern.Starsha_UcodeInfo;

     if (!info) {

         kern.printf("firmware_extract: Could not locate firmware table");

         return -1;

What can we do with this?

It is a payload intended to be used with an injection exploit. The idea is, you compile your exploit and inject this, and using the syscall you can load in your own kernel.

I can't imagine a 3.55 jailbreak should take too long if using this...

Can we boot SteamOS using this?

We can alreadt boot that and cool so samu = pwnd?

idk what u mean by this.

Technically, no. Not yet.
SteamOS hasn't been ported to run on the PS4 as of yet, however steam itself can be run under arch, which can be run on PS4 at present.

If someone takes the time to find a working exploit for this payload, then I can not envisage it taking a huge amount of time (relatively) before SteamOS is ported.