fail0verflow

btw: we first used the included iommu script to bypass iommu and dump x86 kernel text via custom pcie device in m.2 slot - worked first try :') #historylesson #incaseyouevencared

Method we used (>5 years ago, now) on ps5 to fiddle with mp4 and hv memory: github.com/fail0verflow/p… hope it helps for linux!

🐧

want to play with the fbsd umtx exploit? check out github.com/fail0verflow/p…

@vpikhur @oct0xor @theflow0 @hardwear_io If a tree falls in a forest and no one is around to hear it, does it make a sound?

bd-jb: Blu-ray Disc Java Sandbox Escape affecting PS3, PS4, PS5. My talk at @hardwear_io will be uploaded in a few weeks. #hardwear_io hackerone.com/reports/1379975

New blog post about hacking PS VR! We managed to find some major flaws - breaking secure boot and extracting all key material: fail0verflow.com/blog/2022/ps4-…

@3226_2143 @notzecoxao yes, but it's arm here

@fail0verflow @notzecoxao I'm assuming secldr is a SAMU (or equivalent) module on PS5?

Translation: We got all (symmetric) ps5 root keys. They can all be obtained from software - including per-console root key, if you look hard enough!

@damienmiller No

Another one bites the dust 😎

@VVildCard777 @LightningMods_ With emc code exec, you can handle all snvs msgs to sc yourself. Makes it easier to fiddle with snvs contents and avoid bad writes into the actual sc. sc dump is still required for key. hdd backup isn't required, but maybe faster than going through recovery install.

Here is our implementation of the Renesas RL78 debug protocol (as requested in a comment on the blog): github.com/fail0verflow/r…

Took a peek at latest PS4 Pro (CUH-72xx, board NVG-001): same southbridge (CXD90046GG), newly marked syscon (A06-C0L2 but still RL78/G13) - so nothing changes in terms of "Aux Hax" stuff :)

Another "PS4 Aux Hax" blog! Using HDMI-CEC to get code exec on all PS4 southbridge versions (including PS4 Pro, etc.), without requiring other parts of the system to be pwned: fail0verflow.com/blog/2018/ps4-…

Small update to Aux Hax: Nearly same methods are working against devices on recent PS4 Pro board NVB-003: Syscon A05-C0L2 (R5F101LL) Belize southbridge (CXD90046GG) Belize has ROM readout protection and clears stack...they're learning ;)

@drtune @cybergibbons Agree; would be nice if it were useful on other devices too. Note the FM3 on that board was still marked Fujitsu. Design has gone to Spansion, which has merged with Cypress since then. A lot of opportunity for change - or not :D

@fail0verflow Wow (as usual)! Huh.. that thing with the Flash Patch Breakpoint on CM3 surviving reset is an interesting find; sounds generic. Wondering which common M3 chips were compiled with that option enabled... @cybergibbons

A trio of new blog posts! Checkout "PS4 Aux Hax": hacking Aeolia, Syscon, and DS4. fail0verflow.com/blog/2018/ps4-…

@wmbell It's an upper bound. It could've been disclosed earlier, but not later, otherwise a CVE wouldn't have been allocated (unless we requested it ourselves, which we didn't).

@fail0verflow “Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.”

The Tegra X1 flaw that both ShofEL2 and Fusée Gelée exploit now has a name: CVE-2018-6242. nvidia.com/en-us/product-… cve.mitre.org/cgi-bin/cvenam…

@diwidog @St4rkDev Touchée