Skip to content

Commit

Permalink
Bug fixes and improvements
Browse files Browse the repository at this point in the history 
  - Fixed payload links not responding when the PS4 is offline.
  - Reduced chance of system freeze when running the kernel exploit.
  - Updated FTP payload (v1.08b - several bug fixes).
  • Loading branch information
@hippie68
hippie68 authored Dec 2, 2023
1 parent 9095fc1 commit cd1414c
Show file tree
Hide file tree
Showing 7 changed files with 124 additions and 153 deletions.
2 changes: 1 addition & 1 deletion 900/cache.manifest
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
CACHE MANIFEST
# random: 1870bc4f4d4486f21651e34546f90d2d
# random: 3fedc7dffb35a26996dff713c4082380

CACHE:
app2usb.bin
Expand Down
8 changes: 6 additions & 2 deletions 900/changelog.js
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
let changes=`2023-06-21: Updated GoldHEN (2.4 BETA 14).
let changes=`2023-12-02:
- Fixed payload links not responding when the PS4 is offline.
- Reduced chance of system freeze when running the kernel exploit.
- Updated FTP payload (v1.08b - several bug fixes).
2023-06-21: Updated GoldHEN (2.4 BETA 14).
2023-06-13: Updated FTP payload (v1.08a - bug fix for WinSCP).
2023-04-16: Updated JBC loader.
2023-04-15: Added GoldHEN 2.4 BETA 13.
Expand Down Expand Up @@ -112,6 +116,6 @@ let changes=`2023-06-21: Updated GoldHEN (2.4 BETA 14).
2021-03-27: Added firmware safety checks.
2021-03-26: Added ToDEX payload.`;
let data=["aHR0cHM6Ly9jb3JzLmJyaWRnZWQuY2Mv","eC1jb3JzLWdyaWRhLWFwaS1rZXk=","NWJlZGE3MGUtMzlhYi00M2Q0LTkwOTAtMjIwZmM1MzNjNzUy"];
let date="2023-06-21";
let date="2023-12-02";
let build="1";
let targetFirmware="9.00";
Binary file modified 900/ftp.bin
View file
Binary file not shown.
47 changes: 8 additions & 39 deletions 900/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -347,24 +347,24 @@
<b style="font-size: large">Instructions</b>
<p>
This website is now cached in your PS4 browser. You can disconnect your PS4 from the Internet and, from now on, keep using the jailbreak offline. For quick access, feel free to add a bookmark.<br>
To jailbreak, first of all you need to prepare a USB device with the image file <a style="color: var(--text-color-2)" href="https://github.com/ChendoChap/pOOBs4">"exfathax.img"</a> (external link). After that, click on the payload that you want to load. If all goes well, after 20-40 seconds you will see the message <i>"You're all set!"</i>, followed by <i>"There is not enough free system memory"</i>. The jailbreak consists of two parts: WebKit exploit and kernel exploit.
To jailbreak, you need to prepare a USB storage device with the image file <a style="color: var(--text-color-2)" href="https://github.com/ChendoChap/pOOBs4">"exfathax.img"</a> (external link). Once that is done, have the device within reach and click on a payload. If all goes well, after 20-40 seconds you will see the message <i>"You're all set!"</i>, followed by <i>"There is not enough free system memory"</i>. The jailbreak consists of two parts: WebKit exploit and kernel exploit.
</p>
<b>Several messages can appear:</b>
<ul>
<li><b>"There is not enough free system memory."</b>: It means the WebKit exploit was not successful. Press "OK" to try again.</li>
<li><b>"Insert USB device now."</b>: Connect the prepared USB device and follow the displayed instructions.</li>
<li><b>"Failed to trigger the kernel exploit."</b>: The system may have become unstable because the USB stick was not inserted correctly. It may be a good idea to reboot and try again.</li>
<li><b>"There is not enough free system memory."</b>: It means either the WebKit exploit was not successful or a payload could not be loaded. Press "OK" to try again.</li>
<li><b>"Insert exfathax USB device now."</b>: Connect the prepared USB device and closely follow the displayed instructions.</li>
<li><b>Black screen + "An error has occured in the system software."</b>: The system is probably unstable and should be rebooted.</li>
<li><b>"You're all set!"</b>: The jailbreak was successful, and the selected payload has been loaded into memory.</li>
</ul>
<b>Additional information:</b>
<ul>
<li>Loading a GoldHEN or Mira payload unlocks installed homebrew applications and enables "Debug Settings": Leave the browser and go to "Settings - *Debug Settings - Game - Package Installer" to install homebrew PKG files from the root folder of an exFAT-formatted USB storage device. <b>Do not ever go into "*Debug Settings - System - IDU Mode", or your PS4 will brick!</b></li>
<li>Current GoldHEN payloads by default hide the Debug Settings and instead create a GoldHEN icon in the home screen's function area.</li>
<li>Loading a GoldHEN or Mira payload unlocks installed homebrew applications and enables "Debug Settings": Leave the browser and go to "Settings - *Debug Settings - Game - Package Installer" to install homebrew PKG files from the root folder of an exFAT-formatted USB storage device. <b>Do not ever go into "*Debug Settings - System - IDU Mode", or your PS4 will brick!</b><br>Current GoldHEN payloads by default hide the Debug Settings and instead create a GoldHEN icon in the home screen's function area.</li>
<li>For GoldHEN's Rest Mode support to work, make sure to enable "Keep Application Suspended" in "Settings - Power Save Settings - See Features Available in Rest Mode".</li>
<li>You can send additional payload files from a computer: First, load the "JBC Loader" or "Mira Loader" payload. Then, on your computer, use a Netcat program to send your payload files to the PS4.</li>
<li>Some payloads loaded via WebKit exploit continue to run inside the browser window. To leave or reopen the browser while keeping them alive, use the PS button.</li>
<li>GoldHEN 2.x's BinLoader server, found outside the browser in "Settings - *GoldHEN*", activates instant payload loading. This website feature only works if the website is self-hosted via HTTP. It will not be available when using HTTPS or hippie68.github.io. Please take care not to load the same payload twice while the payload is still running.</li>
<ul>
<li>If GoldHEN 2.x's BinLoader server is activated, most payloads are sent to the server. This website feature only works on hippie68.rf.gd or if the website is self-hosted via HTTP. It will not be available on hippie68.github.io or when using HTTPS. Please take care not to send the same payload twice while the payload is still running.</li>
<li>Unplug the exfathax USB device before rebooting. Otherwise, the exploit will be triggered too early.</li>
</ul>
</div>
<div class="tab" id="tab_changelog">
<div class="tab_title">Changelog<span id="tab_changelog_version" style="font-size: medium; font-weight: normal"></span></div>
Expand Down Expand Up @@ -1396,14 +1396,6 @@
resetPayloadChain();
}

// Checks if a website file exists
function fileExists(pathname) {
let xhr = new XMLHttpRequest();
xhr.open("HEAD", pathname, false);
xhr.send();
return xhr.status != 404;
}

// Launches one or multiple comma-separated payload files
function launchPayloads(payloadString) {
// Make sure the WebKit exploit is able to run
Expand All @@ -1412,29 +1404,6 @@
return;
}

// Make sure payload files exist
{
let payloadFilenames = payloadString.split(",");
for (let i = 0; i < payloadFilenames.length; i++) {
let payloadFilename = payloadFilenames[i];
if (!fileExists(payloadFilename)) {
// Check if file exists in (un)compressed form and use that instead
if (payloadFilename.endsWith(".bz2"))
payloadFilename = payloadFilename.slice(0, payloadFilename.length - 4);
else
payloadFilename = payloadFilename + ".bz2";
if (fileExists(payloadFilename)) {
payloadFilenames[i] = payloadFilename;
continue;
}

alert(`Payload file does not exist: "${filename}"`);
return;
}
}
payloadString = payloadFilenames.join(",");
}

// Avoid unwanted last-used page automatic jailbreaking (see "jb.html")
sessionStorage.setItem("allow_jailbreak", "1");

Expand Down
193 changes: 100 additions & 93 deletions 900/jb.html
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
<html>
<style>
body {
height: 100%;
Expand Down Expand Up @@ -31,8 +30,10 @@
</div>
<script>
// Don't start jailbreaking unless invoked manually.
if (!sessionStorage.getItem("allow_jailbreak"))
if (!sessionStorage.getItem("allow_jailbreak")) {
location.href = "index.html";
throw new Error();
}

let enable_debug = localStorage.getItem("enable_debug");
let webkit_addr = localStorage.getItem("webkit_addr");
Expand Down Expand Up @@ -169,7 +170,7 @@

// Assemble payload buffer.
debugMessage(`Writing "${payloadFilename}" to memory...`);
let payloadBuffer = chain.syscall(477, 0x0, array.buffer.byteLength, 0x7, 0x1002, 0xFFFFFFFF, 0x0);
let payloadBuffer = chain.syscall(477, 0x0, array.buffer.byteLength, 0x7, 0x1000, 0xFFFFFFFF, 0x0);
let arrayBuffer = p.read8(p.leakval(array).add32(0x10));
memcpy(payloadBuffer, arrayBuffer, array.buffer.byteLength);
chain.syscall(203, payloadBuffer, array.buffer.byteLength, 0x0);
Expand All @@ -180,110 +181,116 @@
};
}

let payload_loader = localStorage.getItem("payload_loader");
try {
let payload_loader = localStorage.getItem("payload_loader");

for (let i = 0; i < payloadFilenames.length; i++) {
let payloadFilename = payloadFilenames[i];
for (let i = 0; i < payloadFilenames.length; i++) {
let payloadFilename = payloadFilenames[i];

let payloadLoaderFilename;
if (payloadFilename == "mira.bin") {
payloadLoaderFilename = "mira_loader.bin";
} else if (payloadFilename != "jbc_loader.bin" && payloadFilename != "mira_loader.bin") {
switch (payload_loader) {
case null:
case "jbc_loader":
payloadLoaderFilename = "jbc_loader.bin";
break;
case "mira_loader":
payloadLoaderFilename = "mira_loader.bin";
break;
case "no_loader":
if (payloadFilename == "web_activator.bin")
let payloadLoaderFilename;
if (payloadFilename == "mira.bin") {
payloadLoaderFilename = "mira_loader.bin";
} else if (payloadFilename != "jbc_loader.bin" && payloadFilename != "mira_loader.bin") {
switch (payload_loader) {
case null:
case "jbc_loader":
payloadLoaderFilename = "jbc_loader.bin";
else if (payloadFilename.toLowerCase().includes("linux"))
break;
case "mira_loader":
payloadLoaderFilename = "mira_loader.bin";
break;
break;
case "no_loader":
if (payloadFilename == "web_activator.bin")
payloadLoaderFilename = "jbc_loader.bin";
else if (payloadFilename.toLowerCase().includes("linux"))
payloadLoaderFilename = "mira_loader.bin";
break;
}
}
}

if (payloadLoaderFilename) {
// Load payload loader in the background.
let loaderBuffer = createPayloadBuffer(payloadLoaderFilename);
let pthread = p.malloc(0x10);
let ret = chain.call(libKernelBase.add32(OFFSET_lk_pthread_create), pthread, 0x0, loaderBuffer.address, 0x0).low;
if (ret) {
alert(`Failed to load "${payloadLoaderFilename}" (for "${payloadFilename}").`);
break;
}
if (payloadLoaderFilename) {
// Load payload loader in the background.
let loaderBuffer = createPayloadBuffer(payloadLoaderFilename);
let pthread = p.malloc(0x10);
let ret = chain.call(libKernelBase.add32(OFFSET_lk_pthread_create), pthread, 0x0, loaderBuffer.address, 0x0).low;
if (ret) {
alert(`Failed to load "${payloadLoaderFilename}" (for "${payloadFilename}").`);
break;
}

// Create a socket file descriptor.
let sockfd = chain.syscall(97, 0x2, 0x1, 0x0).low;
if (sockfd < 0) {
alert(`Failed to create socket: "${sockfd}"`);
break;
}
// Create a socket file descriptor.
let sockfd = chain.syscall(97, 0x2, 0x1, 0x0).low;
if (sockfd < 0) {
alert(`Failed to create socket: "${sockfd}"`);
break;
}

// Create struct sockaddr_in.
let sockaddr_in = chain.syscall(477, 0x0, 0x10, 0x7, 0x1002, 0xFFFFFFFF, 0x0);
let sockaddr_in_data = p.array_from_address(sockaddr_in, 4);
sockaddr_in_data[0] = 0x3d230210; // .sin_port: 9021, .sin_family: AF_INET, .sin_len: 16
sockaddr_in_data[1] = 0x0100007f; // .sin_addr: 127.0.0.1
sockaddr_in_data[2] = 0x00000000;
sockaddr_in_data[3] = 0x00000000;
// Create struct sockaddr_in.
let sockaddr_in = chain.syscall(477, 0x0, 0x10, 0x7, 0x1000, 0xFFFFFFFF, 0x0);
let sockaddr_in_data = p.array_from_address(sockaddr_in, 4);
sockaddr_in_data[0] = 0x3d230210; // .sin_port: 9021, .sin_family: AF_INET, .sin_len: 16
sockaddr_in_data[1] = 0x0100007f; // .sin_addr: 127.0.0.1
sockaddr_in_data[2] = 0x00000000;
sockaddr_in_data[3] = 0x00000000;

// Connect to socket.
ret = chain.syscall(98, sockfd, sockaddr_in, 0x10).low;
if (ret) {
alert(`Could not connect to payload loader: ${ret}`);
chain.syscall(6, sockfd);
break;
}
// Connect to socket.
ret = chain.syscall(98, sockfd, sockaddr_in, 0x10).low;
if (ret) {
alert(`Could not connect to payload loader: ${ret}`);
chain.syscall(6, sockfd);
break;
}

// Send payload to payload loader.
let payloadBuffer = createPayloadBuffer(payloadFilename);
ret = chain.syscall(4, sockfd, payloadBuffer.address, payloadBuffer.size).low;
if (ret == payloadBuffer.size)
debugMessage(`Running "${payloadFilename}"...`);
else if (ret <= 0)
alert(`"${payloadFilename}" could not be sent.`);
else
alert(`"${payloadFilename}": only ${ret} out of ${payloadBuffer.size} bytes could be sent.`);
// Send payload to payload loader.
let payloadBuffer = createPayloadBuffer(payloadFilename);
ret = chain.syscall(4, sockfd, payloadBuffer.address, payloadBuffer.size).low;
if (ret == payloadBuffer.size)
debugMessage(`Running "${payloadFilename}"...`);
else if (ret <= 0)
alert(`"${payloadFilename}" could not be sent.`);
else
alert(`"${payloadFilename}": only ${ret} out of ${payloadBuffer.size} bytes could be sent.`);

// Clean up.
chain.fcall(window.syscalls[6], sockfd);
chain.fcall(window.syscalls[73], sockaddr_in, 0x10);
chain.fcall(window.syscalls[73], payloadBuffer.address, payloadBuffer.size);
chain.run();
// Clean up.
chain.fcall(window.syscalls[6], sockfd);
chain.fcall(window.syscalls[73], sockaddr_in, 0x10);
chain.fcall(window.syscalls[73], payloadBuffer.address, payloadBuffer.size);
chain.run();

// Wait for payload loader to return.
ret = chain.call(libKernelBase.add32(OFFSET_lk_pthread_join), p.read8(pthread), 0x0).low;
if (ret)
alert(`Failed to wait for "${payloadLoaderFilename}" to return.
Please report this bug at https://github.com/hippie68/hippie68.github.io/issues.
Error value: ${ret}\n
Wait for "${payloadFilename}" to finish and then press "OK".`);
chain.syscall(73, loaderBuffer.address, loaderBuffer.size);
} else {
let payloadBuffer = createPayloadBuffer(payloadFilename);
debugMessage(`Running "${payloadFilename}"...`);
chain.fcall(payloadBuffer.address, 0x0);
chain.fcall(window.syscalls[73], payloadBuffer.address, payloadBuffer.size);
chain.run();
// Wait for payload loader to return.
ret = chain.call(libKernelBase.add32(OFFSET_lk_pthread_join), p.read8(pthread), 0x0).low;
if (ret)
alert(`Failed to wait for "${payloadLoaderFilename}" to return.
Please report this bug at https://github.com/hippie68/hippie68.github.io/issues.
Error value: ${ret}\n
Wait for "${payloadFilename}" to finish and then press "OK".`);
chain.syscall(73, loaderBuffer.address, loaderBuffer.size);
} else {
let payloadBuffer = createPayloadBuffer(payloadFilename);
debugMessage(`Running "${payloadFilename}"...`);
chain.fcall(payloadBuffer.address, 0x0);
chain.fcall(window.syscalls[73], payloadBuffer.address, payloadBuffer.size);
chain.run();
}
}
}

debugMessage("");
history.pushState({}, "", ".");
setTimeout(function () {
if (localStorage.getItem("disable_youreallset") != 1)
alert("You're all set!");
if (payloadFilenames.includes("web_activator.bin")) {
runScript("web_activator_rop.js");
runScript("web_activator_frontend.js");
} else {
read_ptr_at(0);
}
}, 30);
debugMessage("");
history.pushState({}, "", ".");
setTimeout(function () {
if (localStorage.getItem("disable_youreallset") != 1)
alert("You're all set!");
if (payloadFilenames.includes("web_activator.bin")) {
runScript("web_activator_rop.js");
runScript("web_activator_frontend.js");
} else {
read_ptr_at(0);
}
}, 30);
} catch (error) {
alert(error);
logMessage(error);
logMessage("Jailbreak failed (press circle button to return)");
}
}

// Display additional info for certain payloads.
Expand Down
Loading

0 comments on commit cd1414c

Please sign in to comment.