PS5 Payload SDK Update: arbitrary syscalls support added
The PS5 Hacking community is making slow but steady progress. While most of us will have to wait for details on what SpecterDev talked about in his infosec presentation on the PS5 Hypervisor last week, there are still things we can get our hands on already. Developer John Tornblom has pushed a few updates to his PS5 Payload SDK Implementation, adding in particular arbitrary syscall support yesterday. Also, since the last time we covered it, it seems the SDK has gained support for PIE (relocation support a.k.a location independent ELF files)
What is BD-JB for PS4/PS5
BD-JB is a series of exploits (an exploit chain) that allows exploitation of the PS4 and PS5, up to firmwares 9.04 and 4.51 respectively, revealed by Hacker TheFloW in 2022. The hacking scene has been creating and maintaining a series of tools relying on these vulnerabilities, in particular to load and execute unsinged code (binary payloads and/or ELF files) on the PS5.
Because it relies on vulnerabilities in the Blu-Ray layer of Sony’s consoles, in the case of the PS5, this exploit is not compatible with digital edition PS5s. Those running a Digital Edition of the PS5 might want to try the Webkit exploit, which is compatible up to firmware 4.51 included.
TheFloW has used the kernel exploit in conjunction with the bd-jb exploit chain to gain kernel access on the PS5, and disclosed BD-JB in 2022
What’s the PS5 Payload SDK
From the Readme:
This is an SDK for developing ELF payloads targeted at exploited PS5s running the BD-J ELF loader. Several artifacts in this repository originate from the PS5SDK project.
Download & Use PS5 Payload SDK
- Source here
- Commit adding syscall support here
INSTALL: john@localhost:ps5-payload-sdk$ sudo apt-get install build-essential john@localhost:ps5-payload-sdk$ make john@localhost:ps5-payload-sdk$ make DESTDIR=/opt/ps5-payload-sdk install USAGE: john@localhost:ps5-payload-sdk$ export PS5_PAYLOAD_SDK=/opt/ps5-payload-sdk john@localhost:ps5-payload-sdk$ make -C samples/hello_world john@localhost:ps5-payload-sdk$ export PS5_HOST=ps5; export PS5_PORT=9020 john@localhost:ps5-payload-sdk$ make -C samples/hello_world test ADDING NEW SCE LIBS: If you have decrypted sprx files that you would like to interact with, you can build stubs for them as follows: john@localhost:ps5-payload-sdk$ sudo apt-get install wget python3 python3-pyelftools john@localhost:ps5-payload-sdk$ cp /path/to/sprx/libSceXYZ.sprx sce_stubs/ john@localhost:ps5-payload-sdk$ make -C sce_stubs stubs john@localhost:ps5-payload-sdk$ make DESTDIR=/opt/ps5-payload-sdk install
this is great news! can’t believe it I’m haxxoring rn. jk. tho seriously a step closer! great work!