Webkit FontFace Exploit confirmed to work on PS5! (First public exploit ever on the PS5?)
Update: Article has been updated to add confirmation that the exploit works on the latest firmware 21.02-04.03
Multiple people have confirmed that Sleirsgoevy’s implementation of the Webkit FontFace exploit works on PS5,
although up to which firmware, still needs to be entirely confirmed (latest firmware 21.02-04.03 has been confirmed be vulnerable, see below).
A Webkit exploit in itself is not terribly useful for end users, but this is to my knowledge the first ever confirmed PS5 exploit, so this is pretty big news.
Twitter user @a_koski_a in particular has a video showing the exploit running to completion on firmware 21.01-03.21.00. That specific firmware update was released in July this year, so it’s a few iterations behind, but it’s possible the exploit works on higher firmwares too.
— rAwP0TAT0 (@a_koski_a) October 28, 2021
User @ArdeeSantos3 has also confirmed with a video that firmware 21.02-04.02 is also impacted by the vulnerability.
At this point we only need actual confirmation for the latest and greatest, 21.02-04.03, to be confirmed exploitable, but it seems extremely likely.
Works on PS5 as well. Mine’s firmware 21.02-04.02. pic.twitter.com/siAykM1d2J
— Ardee Santos (@ArdeeSantos3) October 28, 2021
Scene Veteran Zecoxao has stated the exploit works on the latest PS5 firmware,
but I’m not sure I’ve seen actual proof of that yet. This has been confirmed by @StretchEcho who published a youtube video showing the exploit running on 21.02-04.03.
What does a PS5 Webkit exploit mean for the scene?
Even “just” a webkit exploit could open the door to some nice investigation of the PS5’s internals. It would be fairly limited but could let us access some sections of the PS5’s RAM, and from there possibly fetch a few of the console’s libraries, for reverse engineering. It’s unlikely a kernel exploit would be found from there, but one can dream.
How to test and confirm the FontFace Exploit on your PS5
- Get the exploit from Sleirsgoevy’s github and put it on your local server, then point your PS5’s browser to the file (alternatively, point your PS5 to one of the public servers hosting the file such as https://kameleonreloaded.github.io/900Test/
- Note: It’s a bit tricky to use the PS5’s browser since it is hidden…. you’ll want to follow this guide to get it to load, and then try to to click your way to the page you want to access.
- Click on the html button and wait
- guessed fontface addr:…
- stringimpl leak:…
- fastmalloc.length =…
- jsvalue leak:…
- Last but not least, a series of comma separated numbers
If you see the whole sequence of alerts, in particular the last one (comma separated numbers), congrats, the exploit worked for you! If it fails at any of the steps above (which would be visible by an error message such as “not enough memory”, or the browser not doing anything for a long amount of time), then your attempt failed, and you should reload the page and try again.
It might take multiple attempts to get the exploit to work for you, there’s lot of randomness involved given the nature of the exploit. With that being said, don’t give up and try a few times before calling it a day
If you get a success, please do post your firmware in the comments below!
And in any case, do not update your PS5 firmware if you intend to ever hack it.