Editing Vulnerabilities

== Usermode Exploits (Game Savedata) ==

See [https://www.psdevwiki.com/ps1/Vulnerabilities PS1 savedata exploits on PS1 Dev Wiki].

Official PS Classic games (warning: some may be remastered, to check) on PS4/PS5 available on PS Store:

* Mr. Driller - PlayStation Plus Premium subscription only (?)

* https://www.playstation.com/en-us/editorial/iconic-must-play-titles-on-playstation-plus-classics-catalog/

"I have bought some of them on the PS3/Vita and the ones I could claim on the PS4/PS5 were Tekken 2 (which previously was not redeemable), all Syphon Filter games, all Wild Arms games, Legend of Dragoon, Ridge Racer Type 4 and Jumping Flash. Resident Evil Director's Cut is NOT redeemable. The rule of thumb is: if you can buy it on PS4/PS5 - and not only claim it through plus premium/deluxe sub, like Resident Evil 1 - they are redeemable from a previous purchase on PS3/PSP/Vita."

Official PS Classic games (warning: some may be remastered, to check) on PS4/PS5 sold on Bluray Discs:

* Tomba! by LRG (for PS5: UP6893-PPSA21381_00-0240103642659799-U001)

* TBA 2025 by LRG: Tomba 2 The Evil Swine Return

* TBA 2025 by LRG: Gex Trilogy: Gex, Gex Enter the Gecko, Gex 3 Deep Cover Gecko

* TBA 2025 by LRG: Clock Tower: Rewind https://store.playstation.com/en-us/concept/10010305 Notice: PS1 Clock Tower is not the original game. The first game in the series was Clock Tower (1995) - first released on the SNES, later ported to PS1, PC and WonderSwan, but only ever released in Japan. The PS1 game is the second game, and was called Clock Tower 2 in Japan but just Clock Tower everywhere else, even though it is a sequel and not a port of the original. So Clock Tower 2 on the PS1 is the third game, and Clock Tower 3 on the PS2 is the fourth game.

* TBA 2025 by LRG: Fear Effect

* TBA 2025 by LRG: Fighting Force and Fighting Force 2

* ADK DAMASHII™ UP0576-CUSA03783_00-SLPS259060000001 https://image.api.playstation.com/cdn/UP0576/CUSA03783_00/BpMMUC8q1MRAsL9iWDh6vbW844hq3JXK.png

* Dark Chronicle (Dark Cloud 2) UP9000-CUSA02037_00-SCUS972130000001 https://image.api.playstation.com/cdn/UP9000/CUSA02037_00/hIKSKqBMerypNW49TCECATZSBBUcSBph.png

* Eternal Ring UP1022-CUSA04654_00-SLUS200150000001 https://image.api.playstation.com/cdn/UP1022/CUSA04654_00/DRIS0z7mtNMYZPchoqLnKlhJqyNvM8mZ.png

* See [https://www.playstation.com/en-us/editorial/iconic-must-play-titles-on-playstation-plus-classics-catalog/].

These PS2onPS4 games can be bought online directly via Limited Run Games for brand new or for example on Ebay for second hand or like new.

* https://wololo.net/2012/09/01/when-the-psp-and-the-vita-show-their-battle-scars/

* https://wololo.net/talk/viewtopic.php?f=52&t=11183&start=10#p143779

* https://www.playstation.com/en-us/editorial/iconic-must-play-titles-on-playstation-plus-classics-catalog/

* Tekken 6 UP0700-CUSA33754_00-TEKKEN6000000000

* Killzone: Liberation (2006) EP9000-CUSA37875_00-UCES002790000000

* Ratchet & Clank: Size Matters (2007) UP9000-CUSA41395_00-UCUS986330000000

* Syphon Filter: Logan's Shadow (2007) EP9000-CUSA32631_00-UCES007100000000

* Pursuit Force (2005) UP9000-CUSA37191_00-UCUS986400000000 or EP9000-CUSA37192_00-UCES000190000000 or HP9000-CUSA37193_00-UCKS450160000000

* Resistance: Retribution (2009) UP9000-CUSA32636_00-UCUS986680000000 or EP9000-CUSA32637_00-UCES011840000000

* Jeanne d’Arc (2006) UP9000-CUSA41018_00-UCUS987000000000

* Jak and Daxter: The Lost Frontier UP9000-CUSA41282_00-NPUG803300000000 (for PS5: UP9000-PPSA14325_00-NPUG803300000000-U001) patch 1.02 requires PS4 11.50 or PS5 9.00

* LEGO Star Wars II: The Original Trilogy UP1082-CUSA41250_00-ULUS101550000000 (for PS5: UP1082-PPSA14300_00-ULUS101550000000, UP1082-PPSA14300_00-0804842924824650-U002) or EP1006-CUSA41251_00-ULES004790000000, patch 1.01 requires PS4 11.50 or PS5 9.20

* Daxter UP9000-CUSA36097_00-NPUG803290000000 (for PS5: UP9000-PPSA09695_00-NPUG803290000000-U001) patch 1.01 requires PS4 11.50 or PS5 9.20

* Bigger kernel attack surface (more usermode privileges) versus WebKit very restricted and becoming more and more with firmware revisions. For example, the PS2emu process uses libkernel_sys, which supports nmount and so mounting of system partitions, whilst neither libkernel_web nor regular libkernel do.

* [https://github.com/McCaulay/mast1c0re mast1c0re implementation by McCaulay (2023-02-18)]

'''No''' as of PS4 FW 11.50 and PS5 FW 8.00. Using the PS2onPS4 game Okage Shadow King, the exploit should work starting from PS4 FW 3.15 and PS5 FW 1.00.

 

 

 

 

 

 

 

 

'''No''' as of PS4 FW ?12.00? and PS5 FW 7.61.

=== FW <= 10.71 - BD-JB2 - Path traversal sandbox escape by TheFloW ===

* TheFloW for the exploits finding (before 2023-09-11), ethical disclose to SCE (2023-09-22) and public disclosure (2023-10-25)

* [https://twitter.com/theflow0/status/1701154155744645349 Removed tweet of BD-JB2 logs on a 7.61 PS5 by TheFloW (2023-09-11)]

Basing on BD-JB1 exploit files, in /bdmv/bdjo.xml changing bdjo/applicationManagementTable/baseDirectory to a path of the form `file:///app0/cdc/lib/../../../disc/BDMV/JAR/00000.jar` allows loading a JAR Java executable file.

* [https://twitter.com/theflow0/status/1717088032031982066 PoC by TheFloW (2023-10-25)]

'''No''' as of PS4 FW 10.71 (maybe patched on PS4 FW 11.00). '''Yes''' on PS5 FW 8.00.

=== FW <= 9.00 - BD-JB - Five vulnerabilities chained by TheFloW ===

=== WebKit sources ===

 

[https://doc.dl.playstation.net/doc/ps4-oss/webkit.html WebKit sources]

 

[https://web.archive.org/web/20241007081407/https://doc.dl.playstation.net/doc/ps4-oss/webkit.html WebKit sources] archived currently up to version 11.00. Useful for people that cannot access PlayStation URLs and also for when Sony will inevitably stop hosting the sources.

 

=== FW ?6.00-11.52? - get_by_id_with_this associated with ProxyObject can leak JSScope objects ===

* [https://github.com/WebKit/WebKit/commit/aa31b6b4d09b09acdf1cec11f2f7f35bd362dd0e WebKit bug-reintroducing commit by Darin Adler reviewed by Alex Christensen (2016-12-31)]

* [https://bugs.webkit.org/show_bug.cgi?id=235551 WebKit fix talk by Yusuke Suzuki reviewed by Mark Lam (2022-01-24)]

* [https://github.com/WebKit/WebKit/commit/486816dc355c19f1de1b8056f85d0bbf7084dd6e WebKit fix commit by Yusuke Suzuki reviewed by Mark Lam (2022-01-25)]

The History API allows access to (and modification of) a stack of the pages visited in the current frame, and these page states are stored as a <code>SerializedScriptValue</code>. The History API exposes a getter for state, and a method <code>replaceState()</code> which allows overwriting the "most recent" history entry.

The bug is that <code>FrameLoader::loadInSameDocument()</code> takes the state as an argument (<code>stateObject</code>), but does not increase its reference count. Only a <code>HistoryItem</code> object holds a reference to the <code>stateObject</code>. <code>loadInSameDocument()</code> can trigger a callback into user JavaScript through the <code>onblur</code> event. The user's callback can call <code>replaceState()</code> to replace the <code>HistoryItem</code>'s state with a new object, therefore dropping the only reference to the <code>stateObject</code>. When the callback returns, <code>loadInSameDocument()</code> will still use this free'd object in its call to <code>statePopped()</code>, leading to the use-after-free.

When <code>loadInSameDocument()</code> is called it changes the focus to the element its scrolling to. If we set the focus on a different element prior to <code>loadInSameDocument()</code>'s execution, the blur event will be fired on that element. Then we can free the <code>stateObject</code> by calling <code>replaceState()</code> in the <code>onblur</code> event handler.

The bug is triggered by <code>history.back()</code> with the target state whose URL contains a hash. Here's a Proof-of-Concept that will crash:

input = document.body.appendChild(document.createElement('input'));

foo = document.body.appendChild(document.createElement('a'));

    alert('you get a crash after you close this alert');

    event.state; // use the freed SerializedScriptValue

addEventListener('popstate', pop);

history.pushState('state1', '', location + '#foo'); // URL with a hash

history.pushState('state2', '');

setTimeout(() => {

    input.onblur = () => {

    setTimeout(() => {

 

 

 

* Simple PoC for ASAN webkit-gtk by Maddie Stone in Maddie Stone's writeups

* [https://github.com/springsec/CVE-2022-22620/blob/main/CVE-2022-22620_infoleak_exploit.html Information leak PoC for webkit-gtk by springsec]

* [https://discord.com Arbitrary RW PoC (PSFree) for PS4 6.00-9.60 and PS5 1.00-5.50 by abc on ps4-dev discord (to mirror)]

'''Yes''' on PS4 FW 10.00 and PS5 FW 6.00.

The patch changes the stateObject argument to loadInSameDocument from a raw pointer, SerializedScriptValue*, to a reference-counted pointer, RefPtr<SerializedScriptValue>, so that loadInSameDocument now increments the reference count on the object.

Tested working on PS4 FWs 6.00-9.60 and PS5 FWs 1.00-5.50. PS4 FWs <= 5.56 are invulnerable as the HTML input field stays focused (blue outline) after second timeout whilst it should not if the console were exploitable.

* [https://web.archive.org/web/20211020134808/https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html (archive) Write-up and PoC by Maddie Stone (2021-10-13)]. Maddie Stone's vulnerability is not CVE-2021-30858 but instead might be CVE-2021-30889. See [https://github.com/googleprojectzero/0days-in-the-wild/commit/65fcdf0473ada4e80dc967662ea8f3f3ce4ea81e#diff-1a428c43cedcf140e5bd6f92e4527f169c3c717780e1586f2fab589e4f467b52 write-up edit commit]. Warning: Maddie Stone's vulnerability was wrongly classified as a use-after-free by Maddie Stone according to sleirsgoevy.

After r256659, asking for a failed CSSFontFace's families() returns nullopt. It is possible to add a failed font to a CSSFontFaceSet (of course). When we do that, we recognize the font is failed and do not update our internal data structures, because there's no need to - we cannot do anything useful with a failed font. If you _then_ try to remove the font from the CSSFontFace, we do not call families(), but instead just pull out the raw m_families member, and look in our internal data structures for it, but we do not find it, because it was never added.

The vulnerability is a use-after-free due to an unchecked end() iterator. There was an assert statement: ASSERT(iterator != m_facesLookupTable.end());, but ASSERTs do not do anything in release builds. Therefore, even if iterator == m_facesLookupTable.end() in the release build, nothing would happen and iterator would still be used. In FontFaceSet a FontFace is not added to the faces lookup table in addToFacesLookupTable if the font has already been deemed to be invalid. However, removeFromFacesLookupTable would still attempt to remove the font, leading to the use-after-free. The patch changes the ASSERT to an if clause. The function will return if iterator == m_facesLookupTable.end(), since the item it wishes to remove is not found in the table.

* [https://gist.github.com/sleirsgoevy/6beca32893909095f4bba1ce29167992 First exploit PoC for PS4 FW 9.00-9.04 and PS5 FW 3.00-4.51 by sleirsgoevy (2021-10-27)]

'''Yes''' on PS4 FW 9.50 and '''No''' as of PS5 FW 4.51 (need to test on PS5 FWs >=5.00). Not working on PS4 FWs <9.00 and PS5 FWs <2.10.

Might have been introduced in PS4 FW 3.50 and before PS5 FW 1.00 according to dates (need to check). However the vulnerability cannot be exploited in some conditions depending on how WebKit was compiled. For example, on PS4 FWs 7.55-8.52 and PS5 FWs <= 2.00, the FontFaceSet constructor returns with an exception that is propagated to JavaScript, preventing exploitation this way.

Tested working on PS4 FWs 9.00-9.04 and PS5 FWs 3.00-4.51. Untested: PS5 FWs 2.10-2.50 and >=5.00.

'''Yes''' in 8.00 FW.

 

Tested working on FWs 6.00-7.55, not working on FWs <= 5.56. HTML textarea guessed addresses for FWs 6.70-7.55 are known but not for FWs 6.00-6.51 so an attacker needs to make tests to determine these addresses on FWs 6.00-6.51.

WebKit: JSC: BytecodeGenerator::hoistSloppyModeFunctionIfNecessary does not invalidate the ForInContext object.

'''Yes''' in 7.00 FW.

 

Vulnerable on PS4 FWs 4.50-6.72. Not vulnerable on FWs <= 4.07. Not vulnerable on FWs >=7.00 according to manual tests but need to check WebKit sources.

'''Yes''' in 6.50 FW.

 

It does not work on <= 4.07 FW PS4 according to tests as the exploit fails at step "Triggering memory corruption".

Works on 3.15-4.07. Not working on <= 3.11.

 

 

 

 

 

 

 

 

 

 

 

Not yet.

* [https://blog.xyz.is/2016/webkit-360.html PSVita 3.60 HENkaku WebKit exploit writeup]

When attempting to update a vector via sortCompactedVector() - data is written based on a pointer, though the pointer is not re-updated nor nulled. When this memory in free()'d, the reference is maintained and thus memory corruption can occur.

* [https://github.com/WebKit/WebKit-http/commit/98845d940e30529098eea7e496af02e14301c704 WebKit fix commit (2016-05-17)]

* [http://psxhax.com/threads/ps4-3-50-webkit-exploit-from-playstation-4-dev-qwertyoruiop.450/ Article about qwertyoruiop's tests (2016-05-20)]

* [http://psxhax.com/threads/ps4-heap-use-after-free-at-webcore-3-50-poc-by-hunter128.452/ Article about initial PoC for PS4 (2016-05-21)]

* [http://wololo.net/talk/viewtopic.php?t=45888 Initial PoC for PS4 (2016-05-21)]

* [https://web.archive.org/web/20161030085033/http://cryptoanarchic.me/wat.txt iOS 9.3.2 WebKit RCE via heapPopMin (2016-07)]

* [https://twitter.com/qwertyoruiopz/status/756268361282125824 qwertyoruiop's tweet (2016-07-22)]

* nas and Proxima for the first PS4 POC on 1.76 PS4 (October 23, 2014)

* sony for patching the exploit in FW 2.00 (October 27, 2014)

* Working on PS4 1.00-1.76 FW, AppleWebKit/531.3-536.26

* Might work on PS4 FW 0.930.020.

 

 

Affecting WebKitGTK: CVE-2023-41074, CVE-2023-42917.

* Very old firmwares (<= 1.05) do not have ASLR enabled, but it was introduced sometime before firmware 1.70. "Address Space Layout Randomization" (ASLR) is a security technique which causes the base addresses of modules to be different every time you start the PS4.

* Between 1.76 and 4.05, Sony did that to prevent WebKit exploiters from defeating usermode ASLR easily.

1. Chose a function (ex: __stack_chk_fail) imported from libkernel.sprx by libSceWebkit2.sprx

 

 

* On FW 5.50+, opening BPF is still possible in less sandboxed apps like TestKit/DevKits fSELFs. But this is useless because ioctl does not work.

* Around 6.50-6.70, device access got blocked or removed. Now you can no longer access devices from the web browser.

 

 

'''Yes''' in PS4 9.03 FW and PS5 4.50 FW

* [https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/ fail0verflow's writeup on the PS4 1.01-4.05 namedobj kernel exploit] (2017-10-19)

* [https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/%22NamedObj%22%204.05%20Kernel%20Exploit%20Writeup.md Specter's writeup on his PS4 4.05 implementation] (2017-12-28)

* [https://github.com/Cryptogenic/PS4-4.05-Kernel-Exploit PS4 4.05 WebKit + Kernel Exploit]

Works on FWs 4.00-4.05. On <= 3.70 FW we have not found a way to leak the target object, but it might be doable as Fail0verflow did it on 1.01.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

'''Yes''' in 2.50 FW.

 

 

 

 

==== PS5 SMAP bypass method: CVE-2021-29628 ====

A SMAP bypass has been found by m00nbsd while working on FreeBSD 12. It is named CVE-2021-29628 and affects FreeBSD 12.2 and later (til it was patched). It does not work on PS4 because PS4 kernel is based on FreeBSD 9 which did not contain the vulnerability and because PS4 SMAP does not come from FreeBSD but is custom from Sony. It used to work on PS5 before it was disclosed and patched. See [https://www.psdevwiki.com/ps5/Vulnerabilities#SMAP_bypass_%28CVE-2021-29628%29 CVE-2021-29628 on PS5 Dev Wiki].

At least since PS4 System Software version 6.51, Sony instrumented all instructions that write to the CR0 register with checks for attempts to clear CR0.WP (Write Protect), which is necessary for patching the kernel. This is what it looks like in 6.51 kernel:

 

The PS4 Crypto Coprocessor (CCP) interface in Secure Kernel has a bug that allows to dump (or better saying, bruteforce) key rings from SAMU.

That is how AES/HMAC keys from PFS, portability keys, VTRM keys, etc can be retrieved. A crypto flaw was in the ability to issue HMAC operation with key length stricly lower than 16. For example, by setting it to 1 you can bruteforce key bytes one by one by comparing HMAC result with HMAC result with known partial key.

 

This trick may work on other crypto hardware as well if it does not restrict key lengths. Amazingly, Intel Secure Key Storage (SKS) of CSME subsystem also has a bug allowing to brute-force any key slot, but the issue exists at hardware level - insecure design of  the keys distribution to crypto engines (AES, SHA, RC4). Intel did not recognize the bug arguing that to access SKS the CSME privileged arbitrary code execution is required, but SKS is exactly designed to protect the ROM generated keys from CSME firmware...

 

 

 

 

 

 

 

'''Yes''' since a PS4 FW between 7.55 (unpatched) and 9.00 (patched).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

By calling the sceSblAuthMgrDriveData kernel function on a PS4, which is a wrapper to the Authentication Secure Module associated fonction, it is possible to dump its IDPS ([[Console ID]]). It is possible because some PlayStation 4 operating system developer from Sony forgot to encrypt sceSblAuthMgrDriveData output by the Authentication Secure Module and that is how it was patched later. The PS4 IDPS is stored encrypted in an EID block in the [[Serial Flash]].

 

To dump the PS4's IDPS, execute sceSblAuthMgrDriveData(0, in_buf, 0x160, out_buf, 0xA4, 1). Pass 0x160 bytes at 0x90C00 from sflash0s1.crypt into `in_buf` and dump `out_buf`.

 

 

 

 

 

 

 

 

 

A bug in the Secure Module that handle PUP decryption allows any PS4 GEN3 on FW 1.62 or below to decrypt any GEN3 PUP (retail, TestKit, DevKit, Beta) with a version above 1.00 (post-prototype).https://github.com/SocraticBliss/ps4-pup_decrypt

 

 

 

 

 

 

 

 

* shykelit for dumping 3.55 Jig PS4 kernel (2019-04-17)

* zecoxao for discovering Matroska kernels and giving them that name (2019-04-18)

* z80 for dumping 3.70 PS4 DevKit kernel (2019-04-18)

* CelesteBlue for backporting kernel exploits to dump PS4 4.74 kernel (2018-11-18), 3.50 (2019-05-09), 3.70 (2019-05-15) and 3.15 (2019-05-25)

 

The kernel memory contains the kernel fSELF but with decrypted data, which in turn can be decompressed to grab ubios, vbios, kernel boot code and partial kernel.

 

 

Sadly, this vulnerability is random, as it relies on kernel ASLR which is itself random. So depending on the System Software version, as modules have different sizes, kernel ASLR has more (100% on 3.15, 3.50 and 3.70) or less (1% on ?4.74?) chances to leak the Matroska kernel. It is unknown how we could improve this success rate. Maybe by instead of rebooting, causing a kernel panic or rebooting to recovery, entering rest mode then disconnecting power supply. A way to accelerate the process would be to scan kernel memory and check magics to see if there is a Matroska kernel. If there is, dump it, else reboot and cross fingers.

 

Note: vbios seems to be the same from 3.50 to 6.00b1 at least.

 

Since PS4 3.50 FW, ASLR (Address Space Layout Randomization) has been enabled in PS4 kernel.

 

* the encrypted x86 kernel is loaded from [[Serial Flash]]

* the secure kernel decrypt the x86 kernel SELF, without uncompressing it to some fixed address: at 0xFFFFFFFF84000000 in the case of 3.xx and 5.xx firmwares or 0xFFFFFFFFC4000000 in the case of 4.xx.

 

On some PS4 boots, Kernel ASLR base address can be very near of Matroska kernel address and the lack of memory separation and wipe renders the dump of Matroska kernel possible with only kernel memory read access.

 

'''Yes''' partially in 4.00 FW by increasing the kernel ASLR base address but it might have reappeared in newer versions like since 5.00 or 4.74, but with lower success rate.

 

 

 

 

 

 

It is possible to glitch the [[Syscon]] debug interface to allow access and dump keys. It was originally done by an anonymous member of fail0verflow.

 

 

Side Channel Analysis (SCA) with Differential Power Analysis (DPA) on Aeolia and Belize (PS4 Southbridge revisions) has been shown to be able to recover key material. Since Sony never used private/public key pairs, it is possible to exploit this and gain complete control over the [[Southbridge]]. You can attack the main FreeBSD kernel from here.

 

 

 

 

This is a hack to gain unsigned code execution on the [[Southbridge]] for all motherboard/console revisions. You might be able to glitch the EMC bootrom in order to bypass further signature checks and break the chain of trust. This hack might involve slowing down the [[Syscon]] clock. Timing the glitch based on SPI read accesses then either doing a power glitch or clock glitch to skip signature check. If the glitch fails, then we simply reset. This can be done with a very cheap CPLD/FPGA. Most Xbox 360 glitching modchips used a Xilinx Coolrunner because it is cheap and easy to use (board can cost as low as $5).

 

 

 

* Rudolf Marek discovered, disclosed to AMD then publicly through the following timeline:

** 2014-11-25 - AMD sends to Rudolf Marek a list of AMD AGESA versions which contain a fix

 

A security vulnerability, discovered by Rudolf Marek in April 2014, in the recent AMD processors (Trinity and Richland, of FM2 socket) allows arbitrary code execution on the AMD System Management Unit (SMU).

 

* The AMD SMU firmware is not padded so some part (256 bytes) of the runtime firmware is not correctly covered by protection cover (0x55 0xaa ...).

Similar, but not same problem affected AMD Kabini and Kaveri CPUs. It also likely affects PS4 as its [[APU]] is AMD Kabini/Jaguar.

 

Thanks to this vulnerability, the AMD SMU firmware can be dumped. From the dump, the [[Keys#AMD_SMU_Keys HMAC-SHA1 key]] was obtained.

 

 

 

Maybe after 2014-11-25, SMU vulnerability found by Rudolf Marek could have been patched on PS4 as AMD released patches: the fixed SMU firmware is part of updated AMD AGESA.

 

=== Untested - Arbitrary code execution in AMD SMU by custom firmware ===

 

 

It turns out that the "debug key" used to hash "debug" firmwares from AMD SMU effectively works on all retail (CEX) versions of the PS4 AMD SMU firmware as well.

 

According to zecoxao, as SMU is very privileged in PS4 (but not so privileged in PS5), one could probably dump his own PS4 keys/fuses with AMD SMU code execution. This could possibly lead to decryption of latest PS4 games, SEN access on PS4 running out-of-date System Software, conversion of any PS4 between CEX and DEX, as well as decrypting the PS4 Kernel and derived binaries.

 

 

Maybe on recent PS4 firmwares with a BIOS update that would require a different and possibly more secure digest or signature.