. This time they explore a stack buffer overflow bug in the HDMI encoder firmware when HDMI-CEC is enabled, accessed via I2C and IRQ lines while disabling HDMI encoder power switch access from syscon.
I assume Sony will mitigate this attack either by changing the southbridge chip hardware in future revisions of the PS4, or by removing the option to use HDMI-CEC (Consumer Electronics Control) in settings.
This post describes another way to attain code execution on Aeolia (actually, the southbridge revision on PS4 Pro which was used in this case is named “Belize”). This exploit differs from the previously documented method as it does not have the prerequisite of gaining control of the APU. Additionally it is fairly generic and therefor workable on all currently released hardware and software versions of PS4.
From Aeolia to Belize
Previously, we have attained permanent code exec on the southbridge on the SAA-001 motherboard. This chip is marked as CXD90025G (referred to as Aeolia internally) and constitutes the first production version. As mentioned in previous posts in this series, there have been many revisions of the PS4, and it makes sense to assume more recent hardware includes more advanced security features. With the original Aeolia owned, it was possible to examine the EMC and EAP firmware and look for vulnerabilities which would allow a more direct attack on the successive hardware revisions. Specifically, the target was the southbridge on the most recent (at the time) PS4 Pro NVB-003 motherboard: marked CXD90046GG and named Belize. From reversing the Belize driver in the x86 FreeBSD kernel, it could be seen that the device was functionally mostly identical to Aeolia. For our purposes, “Aeolia” and “Belize” are interchangeable, so keep that in mind while reading this post.
Sidenote: NVB-003 contains a cost-reduced version of syscon, marked as A05-C0L2. This chip can be pwned
exactly the same as the original version, so there will be no further post about that.
Click to expand...