PS5 Exploit progress: userland ROP execution for 4.03 released by Chendochap & ZNullPtr (with writeup)
PS5 4.03 running Chendochap/ZNullPtr’s code. Screenshot from Echo Stretch’s video
PlayStation scene hackers Chendochap and ZNullPtr have released a PS5 Webkit execution toolkit, based on the FontFace Webkit vulnerability. Although not a Jailbreak, this gives people with the right set of skills userland execution tools to dig deeper into the PS5 security, and takes the scene one step further to implementing the known kernel exploit (which would lead to a Jailbreak).
This exploit works on PS5 4.03 only at the moment. Firmwares above 4.03 are patched and have no hopes of getting this specific exploit to run. Lower firmwares are still a possibility, although the hackers mention that 2.00 and lower apparently do not have the vulnerability (as they do not have the vulnerable FontFace code in the first place)
PS5 Jailbreak: The story so far
Late last year, a full PS4 Jailbreak was released, leveraging a webkit Fontface exploit for its userland entry point, and a filesystem bug in the Playstation 4 firmware for privilege’s escalation.
Both the Webkit vulnerability and the kernel exploit have been confirmed to impact the PS5 as well (here and here respectively), leading to strong hopes from the PS5 scene that a PS5 Jailbreak was right around the corner.
A “port” from one console to the other is not a straightforward affair though, as the PS5 is pretty much a black box at this point for the hacking scene, and with Sony undoubtedly adding more security mechanisms to their new generation console.
It’s clear that several hackers have been hard at work trying to transform these vulnerabilities into a full fledged PS5 Jailbreak, as confirmed by today’s release. Significant progress has been made, but this is not an “end user” release at this point.
PS5 Userland Webkit ROP Release and writeup
Once again, we must emphasize that this is not a released intended for End users. It gives people on PS5 4.03 access to ROP execution, which could help them investigate the internals of the PS5. This work relies on the same Fontface Webkit vulnerability as the PS4, but the hackers had to leverage other mechanisms to gain execution access, as explained in the writeup:
Lower firmwares such as 2.00 don’t seem to be vulnerable, likely because the relevant FontFace code isn’t present in older builds of WebKit (this holds true on PS4 as well, as firmwares lower than 9.00 can’t be exploited with this WebKit bug).
Firmware 4.03 however, we found the browser was vulnerable. Unfortunately the exploit strategy used on PS4 could not be used on PS5 because of clang-based CFI.
[…]
An alternative was needed to achieve code execution in WebKit. Thankfully, PS5’s CFI is only forward-edge and does not use shadow stack, so backward-edge attacks (such as attacking return addresses on the stack) are fair game. Javascript provides a somewhat interesting piece of functionality called Web Workers. These Workers are at their core simple threads which execute javascript in an isolated environment. These were useful for exploitation, as they had a reliable stack we could leak, and gives a thread to pivot to our ROP chain.
Scene member Echo Stretch has a nice test video that you can check below, showcasing the current status of the exploit:
The hackers credit the following people for their help with this release:
- Anonymous
- Specter
- sleirsgoevy
- Everyone that donated.
PS5 Webkit – Should I update my PS5 to 4.03?
At the moment, the best course of action for you if you have a PS5 on a lower firmware, is to stay put. Do not update just for the sake of testing this exploit, it’s not worth it unless you are a security researcher yourself.
If you are above 4.03, this exploit is not for you and will not work on your PS5.
PS5-Webkit Execution – Download
You can download the code, and check the writeup, on Chendochap’s GitHub.
Tu run the code, you’ll need to host the html/js files on a local server, then use your favorite way to access the PS5’s “hidden” web browser (you can for example use one of Al-Azif‘s DNS 165.227.83.145 or 192.241.221.79, then access the “user guide” page from your PS5, then use the url redirector, as demonstrated in Echo Stretch’s video above).
For now the code just shows a few javascript alerts. To take it further, you’ll need to start digging into the PS5 internals yourself from this starting point, or be very patient.
Source: ZnullPtr
first
Nobody cares
No
imagine still being obsessed with being the first person to comment on a random internet article in 2022 lol
I’m before all the How do I JB my PS5 with this????
u cant
worst konsola ewerr and xsx 2
soon ps5 slim cfw 9.0 I hope
and cheap 200 max
I bought the second PS5 two days ago, now Iḿ praying to the hacking gods for the jailbreak and Linux on PS5.
What firmware did your new PS5 come with? Would appreciate your reply.
I did not opened yet but asking people how bought recently their PS5 firmware were always < 4.00
It’s a good start but there are not so many ps5 games yet, and the ps5 is hard to get one worldwide.
I am om 4,50 out of luck
Get Rekt.
This userland exploid can be used to launch some retro emulators directly by web browser?
Nah dude. Right now it’s useless, best to update
Bruh, we all know not to update if we want a jailbreak. Also, your adopted
Hoping for a public exploit by 14 Feburary 2022! Give the scene some love
Why specifically on 14th of February? And it’s possible but not likely
Nice! Glad you made it safely across the border ^_^
whaTS UP PS5 IS DEAD
First is first
these articles give false hope, the found Kernel exploit works for PS4 because we now the memory addresses to attack and inject, noone has ANY CLUE whatsoever to where these addresses would be to get the exploit working on the PS5.
And noone will be able to, because it would requiere a full NAND DUMP + decryption, which has about 0% to happen anytime soon.