What is this PS4 3.55 exploit, is this a PS4 jailbreak?
This is the Webkit exploit used in the recent HENkaku for PS Vita, ported to the latest PS4 firmware, firmware 3.55. This gives us user mode code execution on the PS4. This is cool, but keep in mind that this is just access in one process and such exploits are typically considered “useless” without an accompanying kernel exploit (which would be the point where it’s ok to call this a PS4 jailbreak). Without a kernel exploit, this will lead at best to minor user mode homebrews (which, don’t get me wrong, can be cool, but it not what people are looking for).
This however means that if anyone were to release a kernel exploit for the PS4 in the days or weeks to come (see below), firmware 3.55 will become the new gold firmware for PS4 hackers. Currently, only owners of a PS4 running firmware 1.76 can enjoy cool things such as Linux and Steam on their PS4. This could change soon.
The funny thing here is that firmware 3.55 is also known to be the “golden” firmware of PS3 hacking. The vita missed the mark by a few updates, with 3.60 being the “one” (come on team molecule, what took you so long?).
What’s next for PS4 3.55 users?
Again, for this to be truly useful for a broad audience, a Kernel exploit will need to be released for the PS4. I haven’t heard any rumors, let alone confirmed sources, of people willing to release such a thing in the near future. It is actually likely many hacking groups were already in possession of usermode exploits and waiting for a kernel exploit.
Nevertheless, staying on firmware 3.55 will probably be recommended for now for people who expect further hacks for their PS4. I wouldn’t be surprised if Sony take the time to patch this exploit in their upcoming firmware 4.0, for which the Beta is supposed to start this month.
This repo contains a PoC for getting code execution on ps4’s with firmware version 3.55 It uses the same webkit vulnerability as the henkaku project. So far there is basic ROP working and returning to normal execution is included. Next steps will be to map a jit page sucessfully and getting actual shellcode executed.
You need to edit the dns.conf to point to the ip address of your machine, and modify your consoles dns settings to point to it as well. Then run python fakedns.py -c dns.conf then python server.py Debug output will come from this process.
The exploit is not 100% reliable currently. It is more like 80% which is good enough for our purposes. So if it does not work on first try, try a few more times. Also doing to much allocating after the sort() is called can make it more unstable.
The process will crash after the rop is done executing.
xyz – Much of the code is based off of his code used for the henkaku project Anonymous contributor – WebKit vulnerability PoC CTurt – I basically copied his JuSt-ROP idea