Released! PS5 Kernel exploit + Webkit vulnerability for Firmware 4.03
Important Update: The exploit has now been ported to firmware 4.50. Details here, but everything else in this article still applies.
Original article below:
This release relies on the Webkit vulnerability as an entry point, meaning it will work on any PS5 (including PS5 Digital edition) running firmware 4.03. Lower firmwares might work (although the exploit might need tweaking). Higher firmwares will not work at the moment (they are not vulnerable to the Webkit exploit)
*Note*: for those of you looking to grab a 4.03 or 4.50 PS5, we have a few tips here.
PS5 4.03 Kernel exploit is here!
SpecterDev warns about significant limitations of this exploit. Notably:
- The exploit is fairly unstable, and in his experience will work about 30% of the time. If you are trying to run it, don’t give up, it might require several attempts before the exploit gets through
- Possibly more important, this exploit gives us read/write access, but no execute! This means no possibility to load and run binaries at the moment, everything is constrained within the scope of the ROP chain. The current implementation does however enable debug settings.
More precisely, from the exploit’s readme:
- Obtains arbitrary read/write and can run a basic RPC server for reads/writes (or a dump server for large reads) (must edit your own address/port into the exploit file on lines 673-677)
- Enables debug settings menu (note: you will have to fully exit settings and go back in to see it).
- Gets root privileges
- This exploit achieves read/write, but not code execution. This is because we cannot currently dump kernel code for gadgets, as kernel .text pages are marked as eXecute Only Memory (XOM). Attempting to read kernel .text pointers will panic!
- As per the above + the hypervisor (HV) enforcing kernel write protection, this exploit also cannot install any patches or hooks into kernel space, which means no homebrew-related code for the time being.
- Clang-based fine-grained Control Flow Integrity (CFI) is present and enforced.
- Supervisor Mode Access Prevention/Execution (SMAP/SMEP) cannot be disabled, due to the HV.
- The write primitive is somewhat constrained, as bytes 0x10-0x14 must be zero (or a valid network interface).
- The exploit’s stability is currently poor. More on this below.
- On successful run, exit the browser with circle button, PS button panics for a currently unknown reason.
Stability for this exploit is at about 30%, and has multiple potential points of failure. In order of observed descending liklihood:
- Stage 1 causes more than one UAF due to failing to catch one or more in the reclaim, causing latent corruption that causes a panic some time later on.
- Stage 4 finds the overlap/victim socket, but the pktopts is the same as the master socket’s, causing the “read” primitive to just read back the pointer you attempt to read instead of that pointer’s contents. This needs some improvement and to be fixed if possible because it’s really annoying.
- Stage 1‘s attempt to reclaim the UAF fails and something else steals the pointer, causing immediate panic.
- The kqueue leak fails and it fails to find a recognized kernel .data pointer.
In other words, this release is useful for hackers only, or people who are curious to dig into the inside of the PS5. Note however that despite its limitations, this is the first ever public release of such a powerful hack for the PS5, which means fresh discoveries are bound to happen!
PS5 IPV6 Exploit showcase video
Scene member Echo Stretch managed to run the exploit and get us a video of it in action, as can be seen below. In the video, you can see Debug menu and package installer being unlocked on the PS5
— Echo Stretch (@StretchEcho) October 3, 2022
Download and run
You can download the hack here.
You will need Python to run SpecterDev’s implementation, and you will be running a webserver on your local PC for your PS5 to access.
- Configure fakedns via
manuals.playstation.netto your PCs IP address
- Run fake dns:
python fakedns.py -c dns.conf
- Run HTTPS server:
- Go into PS5 advanced network settings and set primary DNS to your PCs IP address and leave secondary at
- Sometimes the manual still won’t load and a restart is needed, unsure why it’s really weird
- Go to user manual in settings and accept untrusted certificate prompt, run
- Optional: Run rpc/dump server scripts (note: address/port must be substituted in binary form into exploit.js)
This is a developing story, as more people will test and report on this hack in the days to come, so stay tuned!