Sponsored Links

Sponsored Links

PS4 NOR Flash Dump MX25L25635FMI-10G for CXD90025G Arrives


Sponsored Links
46w ago - Following up on the previous PS4 Macronix MX25L25635FMI-10G and MX25L1006E NOR Flash dumps, today Sony PlayStation 4 hacker cfw prophet has made available a PS4 NOR Dump 1.06 (without MAC Address & Console-ID) serial flash MX25L25635FMI-10G for CXD90025G dump with some analysis details below.

Download: [Register or Login to view links] (27.59 MB)

To quote: Subject: Dump of serial flash MX25L25635FMI-10G for CXD90025G

Reference file: PS4 NOR Dump 1.06 (without MAC Address & Console-ID)

Notes:

Size: 0x2000000 filesize / 0x1D40000 datasize
Statistics: 2.64-2.66% 00's / 11.83% FF's / < 0.38% rest
Entropy: 6.96569 (87.0711%) - 7.52856 (94.107%)
Redundancy: 12.9289% - 5.893%
A. Mean: 131072
StdDev: 454103 - 245647
Strings: Flash-Main/strings
Observation:

[Register or Login to view code]

From modrobert (via eurasia.nu/modules.php?op=modload&name=Forums&file=viewtopic&topic=7171&forum=103#33454): I have analyzed the binary and there seem to be an interesting area not mentioned:

Starting at offset 0x144200 there is a pretty big area which doesn't seem to be encrypted. I found the area by making a raw image conversion to get a better visual view of the data.

The arrow marks the area which doesn't seem to be encrypted.

Here's a close-up of the same area, look at the top bar, grains look lumpy there, not even as the encrypted area below.

If you want to have a look, you can find the hi-res image here. Here's a hex dump of the first part of the suspect area.

[Register or Login to view code]

This looks more like executable code to me, not sure what the target device might be.

[Register or Login to view code]

Yes, looks this executable indeed, check the strings up there, embedded Linux maybe.

[Register or Login to view code]

Wireless/Bluetooth firmware!? Unencrypted?! We can't be that lucky.

  • Generic Bluetooth SDIO driver

Source code: kerneldox.com/kdox-linux/d3/d99/btsdio_8c_source.html

By the looks of it, this flash can be read by several PS4 devices accessing different offsets, so maybe we can use that to our advantage and modify data on the fly only when the decrypted area is accessed without breaking checksum in the original flash as a whole.

I'm thinking of a hardware device between the PS4 Wifi/Lan/Bluetooth circuit (or whatever it is) and the MX25L25635FMI-10G flash chip.

I found the Verilog model for the MX25L25635F flash from the manufacturer, so should be possible to emulate the flash in an FPGA for interesting manipulation. Also attached (PDF / ZIP), if their files suddenly disappear: macronix.com/en-us/Product/Pages/ProductDetail.aspx?PartNo=MX25L25635F

Thanks goes to cfwprophet on IRC, I learned a lot of new stuff about the PS4. A block diagram of the MediaCon functions is also attached.

Finally, from smhabib:

[Register or Login to view code]

OF PUP!

1st 40 bytes are encrypted with aes-256-cbc and the result is used as erk and riv for the next 240 bytes. now that is decrypted through aes-128-ctr and now you can find the location for encrypted sections+hmac key+erk/riv keys. the rest sections are also encrypted with aes-128-ctr. enjoy! j/k




Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew releases!

Comments 13 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles.
 
#13 - technodon - 46w ago
technodon's Avatar
Someone found a vulnerability, when you launch Vidnow for the first time it gets a file called vidzone_386_US.db.psarc. which is 5mb. This file loads into a 60k tcp buffer.

No checks are done at all on the files size/hash/contents. A carefully crafted file may be able to exploit this or similar issues to gain code execution. You can use aldostools PS3_PSARC_GUI.exe in [Register or Login to view links] ([Register or Login to view links] / [Register or Login to view links]) to unpsarc it

#12 - RetroA - 46w ago
RetroA's Avatar
Haa... True... Geohot Made Like 6-7 jailbreaks starting from 3.15 then finally he got sewed on 3.55

#11 - anamsel007 - 46w ago
anamsel007's Avatar
i agree with you...

Jail in hacker Mind...

#10 - NTA - 46w ago
NTA's Avatar
and then 3 more firmware updates and removed features start lol.

#9 - Tek9 - 46w ago
Tek9's Avatar
Wow why am I not surprised that hackers are already figuring out ways to get into the PS4 system next thing you know homebrew appears

 

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2015 PlayStation 3 News