@AndrewBlade another weird one was that i experienced the last kids born in the 90's and the first kids born after 9/11 both graduating while i was in highschool. My graduating year was half kids before and after 9/11. That one usually makes people feel old considering im 6'3 and look older than I am. Time waits for no one
Probably equally as insane as the tweezer hack on the wii, was doing a man-in-the-middle attack on the pcie bus of the ps4. The same team that did the tweezer hack on the wii used an fpga board(connected to the ps4 apu) and another PC(where the ps4 “chipset” was connected) and connected those 2 using 115200baud serial(kinda downgrading PCIe to 0.00002x)
People who wrote code like that in 2006 had likely been coding since the 80s, or were heavily influenced by those who had been. I've also been writing code since the 80s, though, so I can tell you that by 2006, single letter variable names were frowned upon, but abbreviations like "buff" were still common place.
"...you have jailbroken your PS4; you can put your own apps on there, you can load your own software, and the PS4 is now effectively yours to do whatever you want with" - Which is exactly the way it should be for hardware which you purchased with your own money.
@@SouthParkStudio Sony isn't going to fuck you, and also tell me you've never had to fight windows to get your computer to do what you want, without telling me.
Ironically, Go guidelines tell you to use fully worded variable names, but contrary to OP's claim, no one in the world is silly enough to _not_ shorthand the most common variable names. So, no, "buf", "r", "w", "p", "f" are all perfectly normal and universally understood. It is a Clean Code practice to write silly long names, and Clean Code has been repeatedly proven to be an absolutely atrocious practice that dramatically reduces productivity in any meaningful project, much like literal adherence to the likes of Scrum methodologies or excessive application of design patterns to every triviality. All of this is corporate rubbish that no one honestly follows because everyone quickly realises how impractical it is. There is a reason why Java is universally seen as the greatest corporate brain-rot language.
bug reported: 2006 PS4 release: 2013 PS4 FW 11 release: 2023 FW 11.02 (Dec 2023) _may_ have fixed it? Unsure. This bug was known about 7 years before the PS4 existed and it's still been in there for nearly its entire lifespan. Crazy.
@@zdspider6778 no, the bug is from 2006. it was recently discovered that it could be used on the playstation 4, but the bug was identified and known about since 2006
@@ryanilari3537 It's based on FreeBSD, but yes, this was just inherited functionality. Weirdly, the PS4's OS is supposedly based on FreeBSD 9, which is from 6 years after this was patched, so I'm guessing they didn't fully rebase on FreeBSD 9 but kept code around from the PS3's OS (also partially based on FreeBSD), which is basically contemporary with the vulnerability.
@@ryanilari3537 PPPoE is not something you automatically have, it has to be explicitly used. So Sony for whatever reason chose to have this as an option so their console was able to connect directly to your ISP over PPPoE without a router. Quite why anyone would want to do that, I do not know. That seems like a bad idea even from just a CPU cycles point of view, given how weak the PS4 CPU is.
The achilles heel of the PS4 has really been relying so much on open source modules, especially FreeBSD for the kernel. Every time there is a critical CVE, it's open season for another jailbreak. Microsoft has the privilege of being able to build around in entirely closed source environment. It makes reverse engineering a much more daunting task.
Wow this entire exploit is like an overview of my reverse engineering course I just took. Everything from creating shellcode, identifying and exploring buffer overflows, creating ropchains, defeating protections like ASLR, and heap exploitation. The only thing that is missing that would make this exploit and entire course overview is fuzzing and creating scripts in binja/ghidra
A few of us cared about good naming conventions 20 years ago. A very few of us cared 40 years ago. It's good to have more allies today. My favorite software joke: The two hardest problems in software engineering are naming, concurrency, and off-by-one errors. 🙂
Honestly the most surprising thing to me about this is that they have a low level device object for the notification UI. I would think that would be handled by some higher-level API, but I guess not.
The exploit gives you kernel access. The notification thing this is just for display purposes. The kernel controls _everything._ Like all of the functions to display text and draw sprites and all that is and ever was. They could have made the entire screen blue if they wanted.
@@zdspider6778 I know the kernel controls everything. I'm just surprised that /dev/notification (or whatever it is) is all you need to send a notification. I would have thought it would be more involved (e.g. building up structs, sending it as a message to the userspace process for notifications, etc.)
Might be there for debugging purposes. Some system that is entirely disconnected from the gui and other services that can keep on showing information on screen even if the entire gui locks up. Might even have been designed initially to show its messages on e.g. an lcd display on the front of the device.
As note, it was released on 2013, so probably it was coded between 2010-2012, so its not far away from 2006. So it has been jailbroked after 11 years. PS3 was jailbroked after 3-4 years only.
PS4 has been jailbroken many times before on earlier firmwares. This one is just the latest one that works until 11.00. Also Sony is constantly patching the software with updates, this bug could have been patched at any point between 2013 and now, but it wasn't because no one knew it was in there until now.
True, but what he was referring to is that this exploit was already in the wild in 2006, which is why it the claimed date is roughly correct. There are plenty of other exploits using the same vulnerability, just with different hardware, or ordered increments. Honestly can't wait till PS4 stops getting updates, so we don't ever need 2 worry about patches screwing with custom ecosystems anymore.
The algorithm deemed this foreign video as permissable to watch. Even though i dont understand your language you sound very confident so i agree whole heartedly.
1:16 once jailbroken, "the PS4 is now effectively yours". So before jailbreaking, you can't put your own software on it. If you can't do whatever you want with it, do you really own it?! Even if you bought it, purchased it, paid for it, if you don't have full and total control over the device, do you actually OWN it?! What does ownership even mean these days?!
legally, the console hardware is yours, but the software on it is licensed to you by sony, and sony can revoke that license at any time (though I am not aware of any instances where they have done this to anyone). given that the software is installed in such a way that sony hopes you will never be able to modify it without their consent, the hardware is also effectively controlled by them in practice unless you find a way to get past their protections, hence what is said in the video that is to say, ownership means what it always has, in a sense, but software companies keep trying to find ways for that to be less useful to you. another good example is with modern games; technically you don't own those either, they're also just licensed to you, and that license can be revoked at any time. I believe it's technically been that way from day 1, but it's only within the last 10-20 years that publishers have gained the ability to actually enforce that through modern DRM but also remember: if buying isn't owning, then piracy isn't stealing :)
@@Brahvim windows is like this too. if you change the hardware in your computer too much without reinstalling windows, it will revoke itself, because microsoft bases the validity of a windows license on the particular hardware configuration windows sees when it's first installed technically, you don't really own any software that you don't make yourself, even if it's free. what matters is the terms under which it's licensed to you. ex: linux is licensed to you under the GPL, which in practice means it's free forever
2:59 "You can tell this code was written in '06 ... naming variables like buf and r and p and h" - Even back in 2006, those were terrible variable names, and coding naming guidelines said to favor readable pronounceable whole words over obtuse fragments (at least I recall the Windows API design guidelines stating that, attempting to correct past blunders :b).
although, Windows apps are meant to run, and be updated for years. Game consoles, not so much.The only coders looking at this code are trying to hack the console! It's not nearly so desirable to have readable code in the console world (unless you're porting a particular game to other platforms)
Someday I hope console makers will realize their stuff is gonna get hacked and just lean into the user freedom angle. Kinda like the stream deck is doing now
They do; they just hope the defenses last long enough so they can get to their next iteration without someone breaking it and defeating DRM etc. It's why I suspect Microsoft allowed developer mode on the Xbones, those who want to write games and apps can do so, without having to exploit the whole system, leaving that area only for the pirates to investigate.
The PS3 let you officially install Linux. I think they removed that because they were worried someone would use the Linux environment for jailbreaks... But ironically, taking away Linux created a much bigger incentive to jailbreak the console, that is, bringing Linux back 😆
You ought to have a series sort of documenting how various consoles and machines were jailbroken sort of like MVG but maybe more code oriented/step by step
Thanks for doing this rundown! Heap exploits always seem to have to be wildly complex -- building primitives, finding targets, getting rw/exec'ble memory, getting to stack, cleaning up... always nice to get the nickel tour
3:02: “naming variables things like buf and r and p and h are just, like, terrible naming conventions” don’t let Rob Pike catch you saying that; they’re still acting like you get charged by the byte when you write golang source code
You get charged by the character when you read it. The longer the name, the more it distracts you from seeing the shape of the code and understanding what it actually does.
@@hobbified only if the code itself is short, neatly written, and contains no bugs. I've spent way too much time deciphering unreadable mumbo jumbo in my career just because some bright minds wanted to use up the entire alphabet for variables instead of treating a programming language as, well, an actual language 😅
Short variable names should only be used within very short functions. People are making out like you write all go code like this. Calling an integer you are manipulating, i, in a 3 line function for instance. If you are using short variable names in any other way, you are doing it wrong.
@@golangismyjam ideally yes. however, in my dealings with the arbiters of Go style from my time at Google, and from reading the stdlib, there was a strong cultural norm towards shortness for its own sake, even at the expense of what I would judge as readability.
@@golangismyjam when writing Go code at Google, in my experience the style reviewers for the language strongly pushed authors to shorten variable names in most situations, even beyond the “just a few lines” case (which, in that particular context, I would not find objectionable)
Yeah I've been unironically wondering about this. It's nice that software is less likely to be taken advantage of by malicious third parties, but what do you do when it's the vendor themselves who is the malicious actor?
Thanks for the video. My constructive feedback is to zoom in a big more on the code so it’s easier to see in the video. Watching on my phone the code is too small to see. Love the content!
Thinking readable code wasn’t a standard in 2006… 🤣 It was a practice that was ignored just as it often is now, and as it was when I got started in the 90’s
You can search for Critical Program Reading (1975) to see just how old it is. People have been struggling with unreadable source code since the dawn of programming and have tried to figure out solutions. Part of it is the background too. If you're used to math then single character variables often feels like the cleanest solution, but in Java it should be a sentence.
In 2006 Perl still saw regular ( yet dwindling use). Php owned the web and jQuery wasnt really on the scene yet. I think a lot of people are confusing 2006 and 2014...
I'm curious as to how much we'd be able to achieve with this. Cause I'd love to install Linux and Steam on my PS4 and use its GPU for essentially PC gaming lol.
@@FelipeV3444 sadly the gpu driver for the ps4 is not shared by sony so on linux you will be using the integrated graphics of the cpu which is horrible for gaming
@@btwiusearch2linux has been ported to ps4 (currently only for older jailbreaks like 9.00) and it has gpu drivers. also ps4 doesnt even have dedicated graphics iirc
@@SanekGamer007 i also had linux on a jailbroken ps3 and that too had gpu driver but no graphics acceleration but some one somehow programmed a graphics acceleration driver for the ps3
1:32 a small clarification. PPP and PPPoE are not the same. PPP as you mentioned stands for Point-To-Point Protocol it's a dial-up connection daemon. PPPoE stands for PPP over Ethernet. It's a Ethernet connection daemon using PAP/CHAP for authentication. The difference between PPP (pppd) and PPPoE (rp-pppoe) is one used to connect over a landline telephone wire and another (your case) is used to connect over Ethernet.
I like this guy's approach to talking, he knows he's talking about something complicated but manages to not be condescending and spells things out for us un knowledgeable in his special field
The length of a variable name should be relative to its scope. In many contexts, 'buf' is a perfectly adequate name! You don't lose any information using 'i' in a 2 line for loop compared to naming it 'iterator', but it's obviously a different story when you're using it over 2 pages of code.
The irony is that it is Sony products that made me interested in code security concepts because I had a PSP and exploits like this one or exploits using images (forgot which image format) would happen often enough you always had a chance to switch to custom firmware. I think that has made me a better developer, albeit one disappointed by a lot of current enterprise code or disappointed when my patches to up the number of characters in a password field was rejected… because it was certain to cause issues for customers. Haha. Console exploits to enable CFWs is an insane world!
Wow. Some of the stuff that's been achieve in the console world is on another level. I remember watching something where some people reverse engineered the NES hardware with no documentation.
20 years ago most companies didn't want to allow the time for coders to do things properly, they wanted it fast and working so down and dirty code was done all the time. I actually left my job as a programmer (consultant) because too many companies just wanted things patches and fixed fast rather than coded properly so others at a later date would be able to maintain the code without wondering what was going on. I told them if they didn't want it done properly, then I'm not the person they were looking for.
Actually an open code game console WOULD BE WILDLY SUCCESSFUL!!!! Everyone will want one and all the indie developers will want to create games for it and port their old games for it. The potential is MASSIVE! All you need is a safe store that is protected so that devs get their money. Imagine everyone who does game related stuff - games, mods, items - everyone can put their own prise. Sure, you could pirate, but I imagine not many pirates would want to pirate stuff available on the console for like 1$ that goes to the developer and not Ubisoft. Plus open source means holes will be plugged pretty fast.
@@nagaserpentico that wasn't the pitch of ouya. the pitch of ouya was 'to bring videogaming back to the television', whatever the hell that means.. that, and you can make your own games to be sold on the platform.
Naming conventions. Hilarious. FreeBSD kernel still uses variables like this. PS4 is FreeBSD. The style probably followed to the code you are showing given the experience needed to jailbreak a FreeBSD fork. I ran into the same buggy code at my dayjob that uses FreeBSD.
Would be interesting to test if this works on the PS3 OS aswell. As far as i know, it is also based on BSD, but i dont know whether the PS4 also has the lv1 lv2 hypervisor structure
Entirely different processor, definitely won't work. Ps3 was a weird console that developers hated because it was so weird.. same reason it's so hard to emulate even to this day.
Man, what a blessing from the algorithm. I'll be honest mate, I havent got a fucking clue about coding so most of it went over my head. That being said, it was a great watch. You turned a niche technical subject into a really engaging breakdown. Even a pleb like me can get a grasp of it lol
-20 years ago, developers used names like "p" and "h" because of hardware restrictions (specifically harddrive space), it wasn't because they liked doing it that way. 😉 You need to write code a bit differently when you only have 120 MB of space for the operating system and all your programs and files, compared to today where everyone has GBs of free space at all times.- ... Love that shirt btw!! 😀 Thank you everyone for all the feedback! I ended up researching this topic a bit more, and learned a lot! 😎
Your variable names don't exist after compilation, so no need to be terse for that. If you're talking about memory limitations of the developer's computer... In 2004, it wasn't unusual to have a GB of RAM. The contents of a text file really didn't bother computers by then. Maybe this was an issue in the 80's, but not in the 00's. Half Life 2 came out in 2004. Crysis would release just 3 years later. It really wasn't the dark ages anymore. Computers were fast and had plenty of RAM for software development. I've worked with a guy who still named variables like that in 2016 or so. He was getting close to retirement and just stuck in bad habits. People just didn't think as much about code maintainability.
@@Niosus I was basically gonna write the same comment, I was a kid back then but I think our home PC had a 128gb hard drive and 512mb of ram around that time. I think the variable names do exist somewhere in interpreted languages so maybe it was a concern for late 90s Java/JS/PHP programmers? More likely to be habits taught by people who programmed even earlier tho
Yeah, it's not so much hardware limitations, since the names don't stick around after compilation, but more because C programmers for a while had a habit of writing this way and that got passed down to many developers. A lot of older c programmers came from assembly which is where some of it stems from. Sort of the opposite of Java devs 800 character names, LOL
Wew mate my childhood 386 machine back in the early 90s had more than 100MB of hard drive space. I'd very surprised if even back then people worried about how much space their variable names would take up
2024-2006 is not 20 years my guy.... regardless, thats a cool find! Now for someone to run it via GPT and have it clean up the code and find some fun things to do with it.
@@init_yeah untrue, rounding up means you are looking at it from a floating point value. In this case, it's 2024-2006 is 18. You can't round 18 to 20 lol. Simple maths.
People wrote code like that 20 years ago because they didn't want to have to scroll laterally all the time to read lines of code that wouldn't fit onto a 640p monitor.
Thing is, you don't know what their mini socket server is downloading, now it would be easier to enable USB read by default on startup in the kernel so that you don't need an Internet connection. The only good thing is, you could create your own socket server on that port locally and inject your own code which can enable literally everything you want.
It's funny you mentioned you can tell the code looks written long ago, I thought the same thing. (I've been programming since the 90s and was happy seeing people starting to name variables nicely as the years went by.)
2:57 I don't know if it's because of my math background but I actually like single letter variable or pointer names within a single function but the public interface (function signature) shall not use single letter names. And the function implementation shall be short enough to only need use of 3-5 variables. The code ends up looking something like i = ... p = function_argument_x->public_function_name(i); return p->next; or something like that. Having long names for i and p will not improve readability when you only need to remember the name for the next line. And obviously you choose the single letter to match the function name that was used to set the value of said variable.
I think it probably is a maths thing. My wife says I write code like a mathematician with all the single letter variables. Which is fine because I only code for myself, and usually just to make Python do tedious calculations for me. My CS minor serves my maths major.
@@MikkoRantalainen Yeah, depending on what one is specialising in, it seems to me that a lot of CS is as close as any applied subject gets to pure mathematics. I'm definitely more a fan of the logic and algorithms side of things, proofs and all, than the specific implementation in a system.
How much of finding vulnerabilities is actually spending the time familiarizing yourself with the target architecture? I get that these people are insanely smart and knowledgeable, but it definitely seems there is a huge effort and dedication component. Really amazing work
wanna get good at programming? check out lowlevel.academy and get20% off lifetime access. or dont. im not a cop
I love my programing looking like it was written in 2005 and horid function names.
Did you say your name is Ed instead of Low Level Learning for the first time? Classic Ed move to sneak that in
I believe any system can be jail broken, via the ethernet port....and of course some smart developers,
going off on a limb here but i would say they wrote the code in that manner to make it harder for people to read on purpose.
That "im not a cop" at the end makes everything 10 times more sketchy 🙂
Please don't give Me a heart attack and call 2006 "20 years ago." It was only 18 years ago.
Those kids are middleschoolers tho, right?
@dogdicer1153 people born in 2006 have either graduated highschool or are about to graduate 😔
@AndrewBlade another weird one was that i experienced the last kids born in the 90's and the first kids born after 9/11 both graduating while i was in highschool. My graduating year was half kids before and after 9/11. That one usually makes people feel old considering im 6'3 and look older than I am. Time waits for no one
@@AndrewBlade 2002 person here, I'm in 4th year now, bout to graduate college next year
@@dogdicer1153 Bro tried to sneak their height into a comment reply and thought we wouldn't notice 😭😭😭
This is more normal than what it took to hack the Wii. Which was a figurative and literal, pair of tweezers
Probably equally as insane as the tweezer hack on the wii, was doing a man-in-the-middle attack on the pcie bus of the ps4.
The same team that did the tweezer hack on the wii used an fpga board(connected to the ps4 apu) and another PC(where the ps4 “chipset” was connected) and connected those 2 using 115200baud serial(kinda downgrading PCIe to 0.00002x)
Man. When I hacked my PSP, I did by loading images of eggs to it that make it crash lol
Those were the day am I right
@@Notevenmad955 As painful as it sounds, makes perfect sense
@@Notevenmad955 nerd
Holy f*ck I forgot doing that. good times indeed.
People who wrote code like that in 2006 had likely been coding since the 80s, or were heavily influenced by those who had been. I've also been writing code since the 80s, though, so I can tell you that by 2006, single letter variable names were frowned upon, but abbreviations like "buff" were still common place.
"buf" is still common and that's a good thing
But think of all the bytes you could save by shortening your variable names!
Even in the 80s we were trained to use descriptive variable names. Did we do it? Arguably. I mean, buf isn't that bad.
The code shown for the exploit used the exact same naming conventions....
It's not that bad
Did you just graduate Hack Reactor 30 minutes ago?
Single letter variable names have always been frowned upon.
The author of the exploit seems to be TheFlow which has been in the console hacking scene forever (PSP, PSVITA). Thanks for the code breakdown!
@@polite3606 I knew I recognized that name! I’ve hacked both my PSP and Vita lol
2:22 no, P is stored in the balls
So is sperm stored in the bladder then?
Maybe not if your PP gets Pwned
Sperm is in balls. Pee is in the bladder. Peeing in your spouse is not a good idea!
@@ronaldmadican2393 WTF
@@ronaldmadican2393 … 0_0 how do you know that?
"...you have jailbroken your PS4; you can put your own apps on there, you can load your own software, and the PS4 is now effectively yours to do whatever you want with" - Which is exactly the way it should be for hardware which you purchased with your own money.
@@nomore6167 buy a PC if that's what you want lol
@@SouthParkStudio both 😎(Jailbroken ps4 and PC)
@@maniau this what a man of culture looks like ladies and gentlemen.
Unspoken agreement is we give u a high powered piece of hardware for a discount but we own u forever
@@SouthParkStudio Sony isn't going to fuck you, and also tell me you've never had to fight windows to get your computer to do what you want, without telling me.
You talk about 2006 like it was a long time ago!
Oh no...
The kids born during then can be certified for forklift driving by around this year
i was 6/7 years old :(
I was one years old 😂
I wasn't even alive.
my age was in the negatives.
“You can tell this is from ‘07 because of the variable names”
The Go team in complete shambles 😂
Bro, that was cold, but so true... hahaha
don’t talk about when the design of Go as a language looks like it came from
I came to write this 😂
Ironically, Go guidelines tell you to use fully worded variable names, but contrary to OP's claim, no one in the world is silly enough to _not_ shorthand the most common variable names. So, no, "buf", "r", "w", "p", "f" are all perfectly normal and universally understood. It is a Clean Code practice to write silly long names, and Clean Code has been repeatedly proven to be an absolutely atrocious practice that dramatically reduces productivity in any meaningful project, much like literal adherence to the likes of Scrum methodologies or excessive application of design patterns to every triviality. All of this is corporate rubbish that no one honestly follows because everyone quickly realises how impractical it is. There is a reason why Java is universally seen as the greatest corporate brain-rot language.
@@NatiiixLP It's called a joke. I use my fair share of shorthand variable names when appropriate!
Dang, now people who bought devices can run their own code on them
The horror
so dangerous, right? As if you bought a product.
@@MelroyvandenBerg It's worse than that. It's as if you're owning the product.
meaningless comment about how we all got the joke he made
@@TUDORMARCU16 yeah, the elites won't like that!
"...and the PS4 is now effectively yours..." sad words, sad world...
bug reported: 2006
PS4 release: 2013
PS4 FW 11 release: 2023
FW 11.02 (Dec 2023) _may_ have fixed it? Unsure.
This bug was known about 7 years before the PS4 existed and it's still been in there for nearly its entire lifespan. Crazy.
No, I think the software is from 2006 but the bug was just (somewhat) recently discovered.
@@crushermach3263 think you'll find a lot of things are all connected from earliest days when programmers shared code ...stay blessed 💪
@@zdspider6778 no, the bug is from 2006. it was recently discovered that it could be used on the playstation 4, but the bug was identified and known about since 2006
Oooh I have 11.02 on my PS4.
I'm a little disappointed we didn't get to watch you jailbreak your own ps4/5 with this
ua-cam.com/video/YBBEyYsjhCg/v-deo.htmlsi=mzGD29gZIcZNNZhZ&t=419
Yeah, I wanted to see a demo too :(
Sony dev in disguise
Search up Modded Warfare
lookup modded warfare, he got tons of videos on it
That's some nice work, but I spent most of the time here being flabbergasted that a PS4 has a PPPoE client at all.
That’s most likely because the PS4 kernel is a modified OpenBSD kernel. They likely just didn’t disable it
@@ryanilari3537 It's based on FreeBSD, but yes, this was just inherited functionality. Weirdly, the PS4's OS is supposedly based on FreeBSD 9, which is from 6 years after this was patched, so I'm guessing they didn't fully rebase on FreeBSD 9 but kept code around from the PS3's OS (also partially based on FreeBSD), which is basically contemporary with the vulnerability.
Exactly what I was thinking like pppeewhat
@@ryanilari3537 PPPoE is not something you automatically have, it has to be explicitly used. So Sony for whatever reason chose to have this as an option so their console was able to connect directly to your ISP over PPPoE without a router. Quite why anyone would want to do that, I do not know.
That seems like a bad idea even from just a CPU cycles point of view, given how weak the PS4 CPU is.
Can't believe the Xbox one ended up being the most impenetrable home console ever created.
The achilles heel of the PS4 has really been relying so much on open source modules, especially FreeBSD for the kernel. Every time there is a critical CVE, it's open season for another jailbreak.
Microsoft has the privilege of being able to build around in entirely closed source environment. It makes reverse engineering a much more daunting task.
It also gives you dev mode for $20
The polar opposite is the Wii U, which can be hacked with an SD card and the web browser.
@@tbuk8350 Wii is easier to hack and way easier to set up storage
Probably because it's a POS no one is really interested in.
Being able to softmod a PS4 opens easy piracy to a LOT of less technical gamers.
Wow this entire exploit is like an overview of my reverse engineering course I just took. Everything from creating shellcode, identifying and exploring buffer overflows, creating ropchains, defeating protections like ASLR, and heap exploitation. The only thing that is missing that would make this exploit and entire course overview is fuzzing and creating scripts in binja/ghidra
waw, a course covering all those aspects of reverse engineering sounds interesting.
Where can i find this course??
@@hriad I would also be interested in that
@@nicolasfuchs3072 yeah cough it up buddy
OP, please bless us w/ the course
Please please please please dont gatekeep the course 😭🙏🏻
A few of us cared about good naming conventions 20 years ago. A very few of us cared 40 years ago. It's good to have more allies today.
My favorite software joke: The two hardest problems in software engineering are naming, concurrency, and off-by-one errors. 🙂
It sounds like there are 11 kinds of people 😉
"P comes out of H+1"
Man...that is not what 4chan told me.
yeah, i mean, pee is stored in the balls right?
@@GavinFromWeb this is true, but if the p is coming out of the balls then you've got a big problem.
Glad im not the only one who thought of this
Honestly the most surprising thing to me about this is that they have a low level device object for the notification UI. I would think that would be handled by some higher-level API, but I guess not.
Maybe they do and that API makes use of the device as a persistent location.
When you build an OS on FreeBSD, you might as well do things the Unix way.
The exploit gives you kernel access. The notification thing this is just for display purposes. The kernel controls _everything._ Like all of the functions to display text and draw sprites and all that is and ever was. They could have made the entire screen blue if they wanted.
@@zdspider6778 I know the kernel controls everything. I'm just surprised that /dev/notification (or whatever it is) is all you need to send a notification. I would have thought it would be more involved (e.g. building up structs, sending it as a message to the userspace process for notifications, etc.)
Might be there for debugging purposes. Some system that is entirely disconnected from the gui and other services that can keep on showing information on screen even if the entire gui locks up.
Might even have been designed initially to show its messages on e.g. an lcd display on the front of the device.
As note, it was released on 2013, so probably it was coded between 2010-2012, so its not far away from 2006. So it has been jailbroked after 11 years. PS3 was jailbroked after 3-4 years only.
there has been a lot of other exploits before this one, iirc 4-5 years after release
@@klairm9097 flatz jailbroke 1.76
PS4 has been jailbroken many times before on earlier firmwares. This one is just the latest one that works until 11.00.
Also Sony is constantly patching the software with updates, this bug could have been patched at any point between 2013 and now, but it wasn't because no one knew it was in there until now.
True, but what he was referring to is that this exploit was already in the wild in 2006, which is why it the claimed date is roughly correct. There are plenty of other exploits using the same vulnerability, just with different hardware, or ordered increments. Honestly can't wait till PS4 stops getting updates, so we don't ever need 2 worry about patches screwing with custom ecosystems anymore.
@@elvendragonhammer5433 Might be a long ways off. Even the PS3 had a recent-ish update. But definitely share the sentiment!
The algorithm deemed this foreign video as permissable to watch. Even though i dont understand your language you sound very confident so i agree whole heartedly.
@@M_reapr You dont speak english but can type out a sentence thats more readable than people who speak perfect english??? Huh?
@@AgentSephirothI mean you speak English and still didn't understand what the user was actually saying 😅
1:16 once jailbroken, "the PS4 is now effectively yours". So before jailbreaking, you can't put your own software on it. If you can't do whatever you want with it, do you really own it?! Even if you bought it, purchased it, paid for it, if you don't have full and total control over the device, do you actually OWN it?! What does ownership even mean these days?!
legally, the console hardware is yours, but the software on it is licensed to you by sony, and sony can revoke that license at any time (though I am not aware of any instances where they have done this to anyone). given that the software is installed in such a way that sony hopes you will never be able to modify it without their consent, the hardware is also effectively controlled by them in practice unless you find a way to get past their protections, hence what is said in the video
that is to say, ownership means what it always has, in a sense, but software companies keep trying to find ways for that to be less useful to you. another good example is with modern games; technically you don't own those either, they're also just licensed to you, and that license can be revoked at any time. I believe it's technically been that way from day 1, but it's only within the last 10-20 years that publishers have gained the ability to actually enforce that through modern DRM
but also remember: if buying isn't owning, then piracy isn't stealing :)
@@powerLien Wait, even the OS IS GIVEN under a license?!
Wow, I want to read the T&Cs on this one!...
@@Brahvim windows is like this too. if you change the hardware in your computer too much without reinstalling windows, it will revoke itself, because microsoft bases the validity of a windows license on the particular hardware configuration windows sees when it's first installed
technically, you don't really own any software that you don't make yourself, even if it's free. what matters is the terms under which it's licensed to you. ex: linux is licensed to you under the GPL, which in practice means it's free forever
Eh, Linux is free and fully yours
@@powerLien amen to that
2:59 "You can tell this code was written in '06 ... naming variables like buf and r and p and h" - Even back in 2006, those were terrible variable names, and coding naming guidelines said to favor readable pronounceable whole words over obtuse fragments (at least I recall the Windows API design guidelines stating that, attempting to correct past blunders :b).
although, Windows apps are meant to run, and be updated for years. Game consoles, not so much.The only coders looking at this code are trying to hack the console! It's not nearly so desirable to have readable code in the console world (unless you're porting a particular game to other platforms)
0:40 this is the first video I've seen where you introduce yourself as Ed instead of "Low Level Learning". I like Ed a lot better.
Someday I hope console makers will realize their stuff is gonna get hacked and just lean into the user freedom angle. Kinda like the stream deck is doing now
They do; they just hope the defenses last long enough so they can get to their next iteration without someone breaking it and defeating DRM etc. It's why I suspect Microsoft allowed developer mode on the Xbones, those who want to write games and apps can do so, without having to exploit the whole system, leaving that area only for the pirates to investigate.
The PS3 let you officially install Linux. I think they removed that because they were worried someone would use the Linux environment for jailbreaks...
But ironically, taking away Linux created a much bigger incentive to jailbreak the console, that is, bringing Linux back 😆
@@DigitalDiabloUK Wasn't the Switch broken, like, Day 1? You can't defend anything with an OS
Yeah, steam is this whole "piracy is a utility issue" thing, provide a good service and it goes away mostly.
Eventually though steam servers will one day shutdown, and then do we really own anything?
You ought to have a series sort of documenting how various consoles and machines were jailbroken sort of like MVG but maybe more code oriented/step by step
MVG is a king. He gets down and dirty with the code, but this channel is even lower-level than that!
agreed!! would be awesome to see a low level oriented console hacking series
Thanks for doing this rundown! Heap exploits always seem to have to be wildly complex -- building primitives, finding targets, getting rw/exec'ble memory, getting to stack, cleaning up... always nice to get the nickel tour
You should look at the earlier jailbreaks, it's crazy what has happened over the years to the PS4 with some "fixes" not actually addressing the issue
3:02: “naming variables things like buf and r and p and h are just, like, terrible naming conventions” don’t let Rob Pike catch you saying that; they’re still acting like you get charged by the byte when you write golang source code
You get charged by the character when you read it. The longer the name, the more it distracts you from seeing the shape of the code and understanding what it actually does.
@@hobbified only if the code itself is short, neatly written, and contains no bugs. I've spent way too much time deciphering unreadable mumbo jumbo in my career just because some bright minds wanted to use up the entire alphabet for variables instead of treating a programming language as, well, an actual language 😅
Short variable names should only be used within very short functions. People are making out like you write all go code like this.
Calling an integer you are manipulating, i, in a 3 line function for instance.
If you are using short variable names in any other way, you are doing it wrong.
@@golangismyjam ideally yes. however, in my dealings with the arbiters of Go style from my time at Google, and from reading the stdlib, there was a strong cultural norm towards shortness for its own sake, even at the expense of what I would judge as readability.
@@golangismyjam when writing Go code at Google, in my experience the style reviewers for the language strongly pushed authors to shorten variable names in most situations, even beyond the “just a few lines” case (which, in that particular context, I would not find objectionable)
This is why memory safe languages like rust are bad for user freedom.
LOL
*that's why BSD should have been under the GPL
@@mskiptrwhere's the lie?
This message brought to you by GPL superiority gang
Yeah I've been unironically wondering about this. It's nice that software is less likely to be taken advantage of by malicious third parties, but what do you do when it's the vendor themselves who is the malicious actor?
@@thesenamesaretaken Get out the soldering iron. No software can totally protect it self from the layers of abstractions below it.
0:17 since 2006? dayum, bug leaks came 7y before the ps4 even released lol
@@JoArtsDev maybe it's a bug from ps3? 🤷♂️
I think he meant 2016. 💀
Thanks for the video. My constructive feedback is to zoom in a big more on the code so it’s easier to see in the video. Watching on my phone the code is too small to see. Love the content!
You can't just to round 17 years to 20, Aubrey
Aubrey 💀💀💀💀💀
nope he can
LMAO
18*
Can work both ways. Sometimes you include code that is so old,it doesn't have any if the newer vulnerabilities in more modern versions of that code 😂
Ah the good'ol "too broken to be lockpicked" strategy
This comment deserves more likes 😂
i mean, just run a windows 98 system and you'll get so few viruses. granted, you won't be able to do much on the pc tho, but no viruses.
This is wild! Awesome content as always. So crazy that was around 20 years.
YOOOO my guy! Thank you! 🫡
Thinking readable code wasn’t a standard in 2006… 🤣
It was a practice that was ignored just as it often is now, and as it was when I got started in the 90’s
"If it was hard to write, it should be hard to read."
You can search for Critical Program Reading (1975) to see just how old it is.
People have been struggling with unreadable source code since the dawn of programming and have tried to figure out solutions.
Part of it is the background too. If you're used to math then single character variables often feels like the cleanest solution, but in Java it should be a sentence.
In 2006 Perl still saw regular ( yet dwindling use). Php owned the web and jQuery wasnt really on the scene yet.
I think a lot of people are confusing 2006 and 2014...
@@DavidCowie2022 some developers seem to think that “security through obscurity” is a coding style and applies to job security.
it wasn't ignored "as often as it is today" at all, they obviously cared about it less. are you stupid?
So I have already have a broken PS4... Time to have fun with it I gues
I'm curious as to how much we'd be able to achieve with this. Cause I'd love to install Linux and Steam on my PS4 and use its GPU for essentially PC gaming lol.
@@FelipeV3444 sadly the gpu driver for the ps4 is not shared by sony so on linux you will be using the integrated graphics of the cpu which is horrible for gaming
@@btwiusearch2linux has been ported to ps4 (currently only for older jailbreaks like 9.00) and it has gpu drivers.
also ps4 doesnt even have dedicated graphics iirc
@@SanekGamer007 sorry i meant gpu acceleration it doesnt have that
@@SanekGamer007 i also had linux on a jailbroken ps3 and that too had gpu driver but no graphics acceleration but some one somehow programmed a graphics acceleration driver for the ps3
1:32 a small clarification. PPP and PPPoE are not the same. PPP as you mentioned stands for Point-To-Point Protocol it's a dial-up connection daemon. PPPoE stands for PPP over Ethernet. It's a Ethernet connection daemon using PAP/CHAP for authentication.
The difference between PPP (pppd) and PPPoE (rp-pppoe) is one used to connect over a landline telephone wire and another (your case) is used to connect over Ethernet.
I like this guy's approach to talking, he knows he's talking about something complicated but manages to not be condescending and spells things out for us un knowledgeable in his special field
1:14 rather you now actually own the thing, what a concept.
The length of a variable name should be relative to its scope. In many contexts, 'buf' is a perfectly adequate name! You don't lose any information using 'i' in a 2 line for loop compared to naming it 'iterator', but it's obviously a different story when you're using it over 2 pages of code.
Wish you gave TheFlow0 a shout out because that guy is a legend when it comes to sony console exploits.
Sony is wierd for keeping pppoe as an option for network connection. But its good that they did it.
Nice to meet you Ed 😊
the moment I hear PPPoE I think: Who the fuck would use a PS4 as a DSL modem?
this stuff is over my head but i still enjoy your content
One last video before i go to bed ,
This video
Did you go to bed yet?
@@nickst2797 ya dude , good night its 2:20 am here in india
@@nickst2797 I wonder if we can get people to leave nice comments for him to wake up to?
Have cholay and anda in ur breakfast lol!
Im also gonna sleep after this, 4:30am for me >:D
The irony is that it is Sony products that made me interested in code security concepts because I had a PSP and exploits like this one or exploits using images (forgot which image format) would happen often enough you always had a chance to switch to custom firmware. I think that has made me a better developer, albeit one disappointed by a lot of current enterprise code or disappointed when my patches to up the number of characters in a password field was rejected… because it was certain to cause issues for customers. Haha. Console exploits to enable CFWs is an insane world!
Wow. Some of the stuff that's been achieve in the console world is on another level. I remember watching something where some people reverse engineered the NES hardware with no documentation.
"Its clear its been written in 06"
Me still using single letter variables: BD
20 years ago most companies didn't want to allow the time for coders to do things properly, they wanted it fast and working so down and dirty code was done all the time. I actually left my job as a programmer (consultant) because too many companies just wanted things patches and fixed fast rather than coded properly so others at a later date would be able to maintain the code without wondering what was going on. I told them if they didn't want it done properly, then I'm not the person they were looking for.
Actually an open code game console WOULD BE WILDLY SUCCESSFUL!!!! Everyone will want one and all the indie developers will want to create games for it and port their old games for it. The potential is MASSIVE! All you need is a safe store that is protected so that devs get their money. Imagine everyone who does game related stuff - games, mods, items - everyone can put their own prise. Sure, you could pirate, but I imagine not many pirates would want to pirate stuff available on the console for like 1$ that goes to the developer and not Ubisoft. Plus open source means holes will be plugged pretty fast.
We have that - it's a regular computer XD
@@nagaserpentico that wasn't the pitch of ouya. the pitch of ouya was 'to bring videogaming back to the television', whatever the hell that means.. that, and you can make your own games to be sold on the platform.
Naming conventions. Hilarious. FreeBSD kernel still uses variables like this. PS4 is FreeBSD. The style probably followed to the code you are showing given the experience needed to jailbreak a FreeBSD fork. I ran into the same buggy code at my dayjob that uses FreeBSD.
"P comes out of H+1" after being stored in the balls, obviously
Showing my age but that naming convention buf,p,etc.. would have not passed code reviews from 30 years ago maybe in the 70's when memory was limited.
Love your T-shirt! 🙂
Love it too! Came to the comments to say the same thing lol
This makes me so happy.
2:26 missed opportunity to confirm that pee is stored in the balls
That laugh hurt.
As someone in the "hacking" seine i really like how you explained the exploit, its pretty wild how it got exploited
Wears shirt saying "everything is open source if you can read assembly" while complaining about abbreviated variable names! :-)
The PS3 could be jailbroken with a texas instrument calculator. Still one of the funniest things ever in tech to me.
Wanna feel old? 2004 was 20 years ago. I was a lost kid at uni drinking cheap beer...
uni 1968...
Born in '03, drinking cheap beer myself now. :)
I wish I could say this to myself 20 years from now
@@sunsetman22just dont win a Darwin Award and you'll be good.
@@sunsetman22Not with that attitude... You'd be amazed how fast a couple of decades can wiz by.
Ed kidnapped Low Level Learning. Never forget, never surrender, stay strong LLL 💪
Who told you
Would be interesting to test if this works on the PS3 OS aswell. As far as i know, it is also based on BSD, but i dont know whether the PS4 also has the lv1 lv2 hypervisor structure
Memory exploits often cause the ps3 to crash. The risk for bricking is too high so they are not ideal.
Not accurate at all @@wingedzero
Entirely different processor, definitely won't work.
Ps3 was a weird console that developers hated because it was so weird.. same reason it's so hard to emulate even to this day.
@@sirtra rpcs3 is making a lot of progress, no?
@@MuadDiiib still no save state functionality but sure.
The next time I complain about a black duck scan at work, I'll come back and watch this... 😅
It was also noted there that it works on PS5.
Is this really the time we are going to see more PS4 and PS5 as Linux desktops?! Would be fire actually
I mean, they have x86_64 CPUs, you just would need drivers for GPUs (same arch as AMD desktop GPUs) and the wifi chip, and some more firmware.
from what i know, you can run linux on the ps4, if you have the firmware 9.00 and below jailbreak, i don't know how it is for the 11.00 one.
You could add most of this dialogue to an 80s hacker movie and it would fit right in perfectly.
real name reveal is crazy
I've always wanted it, and he finally did it! Hey, Ed! Thanks for all the videos!
Why should he care when he has already revealed his REAL face? 😀
your break down of the code reminds me of playing a OTK deck in yugioh; everything is chained together in this ridiculous combo
I like your funny words, magic man
Nice T shirt!
Description doesn't seem accurate 👀
the apple playstation
Hmmm 🤔
thank you youtube is trying to end my career ong
I'm a professional Java developer and I understood 20% of what the heck you just said
Who's this Ed and what have you done with Low Level Learning ?
Meanwhile everyone with a PS4 that has standards against piracy now rushing to crack their stuff.
P comes out of...
Watching this without any clue on coding is pretty cool. I can see butterflies flying around.
hehe he said pp
Not only that, he also said pp pee
Man, what a blessing from the algorithm. I'll be honest mate, I havent got a fucking clue about coding so most of it went over my head. That being said, it was a great watch. You turned a niche technical subject into a really engaging breakdown. Even a pleb like me can get a grasp of it lol
His name is what? LLL?
Me nodding my head to this as if i understand anything
-20 years ago, developers used names like "p" and "h" because of hardware restrictions (specifically harddrive space), it wasn't because they liked doing it that way. 😉 You need to write code a bit differently when you only have 120 MB of space for the operating system and all your programs and files, compared to today where everyone has GBs of free space at all times.-
... Love that shirt btw!! 😀
Thank you everyone for all the feedback! I ended up researching this topic a bit more, and learned a lot! 😎
Your variable names don't exist after compilation, so no need to be terse for that.
If you're talking about memory limitations of the developer's computer... In 2004, it wasn't unusual to have a GB of RAM. The contents of a text file really didn't bother computers by then. Maybe this was an issue in the 80's, but not in the 00's. Half Life 2 came out in 2004. Crysis would release just 3 years later. It really wasn't the dark ages anymore. Computers were fast and had plenty of RAM for software development.
I've worked with a guy who still named variables like that in 2016 or so. He was getting close to retirement and just stuck in bad habits. People just didn't think as much about code maintainability.
@@Niosus Those are definitely good points! I keep forgetting how 20 years ago means 2004 😭 I'm getting too old! 🤣
@@Niosus I was basically gonna write the same comment, I was a kid back then but I think our home PC had a 128gb hard drive and 512mb of ram around that time. I think the variable names do exist somewhere in interpreted languages so maybe it was a concern for late 90s Java/JS/PHP programmers? More likely to be habits taught by people who programmed even earlier tho
Yeah, it's not so much hardware limitations, since the names don't stick around after compilation, but more because C programmers for a while had a habit of writing this way and that got passed down to many developers. A lot of older c programmers came from assembly which is where some of it stems from. Sort of the opposite of Java devs 800 character names, LOL
Wew mate my childhood 386 machine back in the early 90s had more than 100MB of hard drive space. I'd very surprised if even back then people worried about how much space their variable names would take up
C developers and buffer overflows.
Name a more iconic duo. I'll wait.
2024-2006 is not 20 years my guy.... regardless, thats a cool find! Now for someone to run it via GPT and have it clean up the code and find some fun things to do with it.
Not, if you round up
@DanteS-119 Did you just see GPT and not read the rest of what I put?
@@init_yeah untrue, rounding up means you are looking at it from a floating point value. In this case, it's 2024-2006 is 18. You can't round 18 to 20 lol. Simple maths.
People wrote code like that 20 years ago because they didn't want to have to scroll laterally all the time to read lines of code that wouldn't fit onto a 640p monitor.
Just a reminder: fuck sony
Based and true
Me completely fascinated by even the basic socket receive and notification send code 😂
Bloodborne for Pc is coming rahhhhhhhhhhhhhhhhhhh
I've been an adamant advocate of SBOMs at work and now finally we are introducing them.
For this video a higher resolution would help a lot, just because it makes the code much more easily readable.
rawr
xd
I think Ed should be hosting more often
That t-shirt is funny and makes a lot of sense. The best jokes always do.
I had no clue what this man said & still left entertained & informed.
We've known about good variable names for more than 20 yrs... some people just suck at naming things b/c they're bad at communicating.
Yeah, but also, most of that module's code probably predates 2006. It was just the 2006 iteration.
Thing is, you don't know what their mini socket server is downloading, now it would be easier to enable USB read by default on startup in the kernel so that you don't need an Internet connection.
The only good thing is, you could create your own socket server on that port locally and inject your own code which can enable literally everything you want.
It's funny you mentioned you can tell the code looks written long ago, I thought the same thing. (I've been programming since the 90s and was happy seeing people starting to name variables nicely as the years went by.)
damn thats crazy complex props to the one who put all that together, so many moving parts
2:57 I don't know if it's because of my math background but I actually like single letter variable or pointer names within a single function but the public interface (function signature) shall not use single letter names. And the function implementation shall be short enough to only need use of 3-5 variables. The code ends up looking something like
i = ...
p = function_argument_x->public_function_name(i);
return p->next;
or something like that. Having long names for i and p will not improve readability when you only need to remember the name for the next line. And obviously you choose the single letter to match the function name that was used to set the value of said variable.
I think it probably is a maths thing. My wife says I write code like a mathematician with all the single letter variables. Which is fine because I only code for myself, and usually just to make Python do tedious calculations for me. My CS minor serves my maths major.
@@hughcaldwell1034 I did CS major and maths minor but I think it makes sense that the end result is almost similar.
@@MikkoRantalainen Yeah, depending on what one is specialising in, it seems to me that a lot of CS is as close as any applied subject gets to pure mathematics. I'm definitely more a fan of the logic and algorithms side of things, proofs and all, than the specific implementation in a system.
How much of finding vulnerabilities is actually spending the time familiarizing yourself with the target architecture? I get that these people are insanely smart and knowledgeable, but it definitely seems there is a huge effort and dedication component. Really amazing work