Sunday, September 14, 2014

PS4 - The State of Things Part II: Environment Analysis

Sadly there's no blueprint of the PS4's filesystem as far as I know, so how would we know where we want to go? We need to collect as many information about the filesystem and it's environment as possible to even be able to determine our possible research targets and vulnerabilities.

For any PlayStation platform there are 3 good and legit ways to go for:

 Way 1: Open Source Software & Open Documentation

Any Open Source Software used on the PlayStation4 is listed at http://www.scei.co.jp/ps4-license/.
A quick look through them reveals that many licenses force SONY to distribute copies of the used software which for the PS4 are:

  • cairo
  • Mono VM
    • "For request, please send e-mail to: pss_opensource_info@scei.co.jp with “PS4 Mono LGPL Request” in the subject line. In the body of the e-mail include your name and e-mail address."
  • Webkit
  • FFmpeg
Since we do have the sources, we can go through em, look for bugs and/or compare public available exploits to see if they are patched; for example via http://www.exploit-db.com/.

Furthermore you can check the World Wide Web for public available documentation about the system, sites like http://develop.scee.net/ are very useful. Just as example you can find the content guidelines for the PS4 Webbrowser and a quite interesting presentation from 2013

Way 2: Hardware Analysis

Not exactly the stuff I like to do, but one of the most interesting and promising research fields I think.

For sure also the most expensive way to research. If your lucky enough to own or be able to purchase proper hardware for this case of research you have tons of possibilities. 

There's already a lot information about PS4 hardware research available in the PS4 Developer Wiki, including some dumps and more. 

Even if you do not have access to a fast enough logical analyzer there's cheap & good hardware for simple chip dumps. Also you could checkout other hardware interaction possibilities like UART (115200,n,8,1 in our case).

Way 3: Installed Software Analysis

Check the software on the target system for bugs which may lead to information leaks or similar. 

One of the best things which can happen at start is that you find a way for dumping parts of the memory which may reveal sensitive and useful information about the PS4 environment. 

A good example is the recently revealed exploit for the Wii U via it's Webbrowser & Webkit which quite early lead to memory dumps. Webkit is known to be a weak point on nearly every system!

The Result

A decent result will unveil you a good overview of how the system works, which processes are linked by each other, how the filesystem does look like and more.

Here's an example for the PlayStation4 filesystem: CLICK TO DOWNLOAD

The shown folders and files are based on our research until now. Some files and folders are missing and may be updated.



Part III of my "The State of Thing" articles will arrive soon!

- SK