TheFlow confirms his bd-jb exploit still works on PS5 latest firmware 7.61
PlayStation hacker TheFloW has confirmed that his BD-JB exploit still works on the latest PS5 Firmware.
The complete BD-JB exploit chain, which constitutes a usermode entry point for hacks on the PS4/PS5, was originally made of 5 separate exploits, which TheFloW had disclosed last year:
- The class
com.sony.gemstack.org.dvb.user.UserPreferenceManagerImpl
deserializes theuserprefs
file under privileged context usingreadObject()
which is insecure - The class
com.oracle.security.Service
contains a methodnewInstance
which callsClass.forName
on an arbitrary class name. This allows arbitrary classes, even restricted ones (for example insun.
), to be instantiated. - The class
com.sony.gemstack.org.dvb.io.ixc.IxcProxy
contains the protected methodinvokeMethod
which can call methods under privileged context. Permission checks in methods can be bypassed - (PS4 only) The “compiler receiver thread” receives a structure of size 0x58 bytes from the runtime process. An attacker can simply send an untrusted pointer and the compiler receiver thread will copy data from the request into its memory. In other words, we have a write-what-where primitive
- The UDF driver https://github.com/williamdevries/UDF is used on the PS4 and PS5 which contains a buffer overflow.
This BD-JB hack is currently actively used on PS5 Firmwares 3.00 to 4.51, as an entry point to the kernel exploit which allows hacking these firmwares. (As an alternative to the BD-JB exploit, many of us use a webkit exploit instead, although in both cases, the goal is to then trigger the same kernel exploit for privilege escalation)
What is a bit surprising is that the hacker had stated a while ago that the BD-JB vulnerabilities (or some of them) had been fixed in PS5 Firmware 5.00. It is unclear to me if he has found additional exploits to reactivate the chain, if some bugs were reintroduced, if Sony never properly patched the exploits, or if it is something else. It would appear Sony simply never bothered to patch the vulnerability.
Multiple usermode exploits already exist on the PS5
A new tweet from TheFloW regarding PS5 exploits is always a nice treat, but usermode exploits for the PS5 are not the main issue that the scene is facing on new firmwares. Mast1c0re for example is still an entry point that works on recent firmwares, and hackers have stated that more usermode entry points exist on the PS5. From CrazyVoid recently:
Kernel exploits (and more) remain the bigger issue on the PS4 and PS5, to get more people access to a hackable console.
Source: TheFloW
Do this mean i can update my 2.0 firmware to the latest update (…in order to be able to download games DLC that appeared and make others games usable) and i will still be able to get the jailbreak ??
No! The Kernel exploit is the critical thing here, and that exploit only works up to 4.51. If you have a PS5 on 2.00 I’d really advise against updating it at the moment.
I just read now the exploit work up to 4.00 !
why precisely i should stay on Beta 2.0 ?
because of an eventual full custom firmware ??
Firmwares 2.50 and below are rumored to have specific vulnerabilities in the Hypervisor, meaning they could be the only “fully jailbreakable” firmwares out there.
Where are you from? I’d gladly exchange you your PS5 for mine.
Add $1000 to your offer and maybe
@Miguel , add 1000 dollars to your offer and maybe
Yes, update immediately.
@john …nice try…
no stay on that firmware until a complete jail-breakable solution arrives…
Thanks
So this will, in time, enable us to use 60fps mods and homebrew on later FW? Is that correctly assumed of me?
A Kernel exploit would be required for most of that, in addition to the BD-JB usermode exploit. BD-JB is not a Kernel exploit.
well , i wish the playable version could be this latest one. but actually not.
still works on 8.00?
…heeee I really doubt giving the publicity about all this.
Im sure SONY patched something.
…finger crossing , we will wait wololo answer about this
I assume it works but as I understand some components of the exploit are still private to TheFloW so he’s the one who can give a definitive answer