PSFree 1.4.0 Beta (Webkit exploit) released for PS4 up to 9.60 and PS5 up to 5.50

The PSFree webkit exploit for PS4 and PS5, developed by scene member abc, is making progress on a regular basis. Yesterday, version 1.4.0 was released. It adds kernel patch payload for PS4 8.0x and some bug fixes. Ultimately it appears the developer intends to make it an all-in one toolkit to run kernel exploits (work is apparently ongoing for that on firmwares that currently have kernel exploits, and I’m assuming the goal is to make it “easy” to integrate with future kernel exploits)

What is PsFree for PS4/PS5

PsFree is a (work in progress) webkit exploit for PS4 firmwares 6.00 to 9.60, and for PS5 1.00 to 5.50. It is based on CVE-2022-22620 by security researchers Sergei Glazunov and Maddie Stone.

A webkit exploit, in the context of PS4/PS5 hacking, is a usermode exploit. It allows limited access to run unsigned code on the console. While in theory it could be used to run homebrew games, in practice such exploits are typically used as entry points or attack vectors for privilege escalation (aka kernel exploits). In other words, a usermode exploit such as this one is usually not very useful on its own for the end user, but once combined with a kernel exploit, can lead to a Jailbreak of the console.

There are kernel exploits publicly available on the PS4 (up to firmware 9.00) and PS5 (up to Firmware 4.51) as of this writing. Although these kernel exploits are already used in combination with other usermode entry points, the benefits of this webkit exploit are as follows:

1. On firmwares with an existing entry point/kernel exploit combination, it could be used to replace the existing exploit, possibly offering a more stable implementation
2. On firmwares that do not yet have a kernel exploit, it can be used as an entry point in the future, once such kernel exploits are found. For security researchers, it also provides a ready-to use entry point to dig further into the machines

The PS4/PS5 version was implemented by abc, with credit to the following people:

• anonymous for PS4 firmware kernel dumps
• janisslsm from ps4-dev on discord.com
  • contributed ROP chain managers for 8.5x and 9.0x
  • contributer of the ROP chain manager for 9.5x
  • Helped in figuring out the size of JSC::ArrayBufferContents and its needed offsets on different firmwares.
• barooney from ps4-dev on discord.com
  • contributer of the ROP chain manager for 9.5x
• CelesteBlue from ps4-dev on discord.com
  • Helped in figuring out the size of WebCore::SerializedScriptValue and its needed offsets on different firmwares.
  • figured out the range of vulnerable firmwares
• Kameleon_ from ps4-dev discord
  • Asked people to test 1.3.0 (beta) on other firmwares and reported if the peformance boost worked (reports from 6.72-9.60).
• Quentin Meffre (@0xdagger) and Mehdi Talbi (@abu_y0ussef) for the 6.xx buildBubbleTree() UaF exploit that served as the framework for the exploit.
• Maddie Stone for the CVE writeup

PsFree on PS4/PS5 has been touted as extremely fast and reliable.

PSFree 1.4.0 – What’s new

From the changelog:

• add kernel patch payload for 8.0x
• fixes:
  • remove the risk of crashing from using the Chain classes
  • remove the risk of crashing from using make_buffer()

Download and use PSFree

The easiest way to try PSFree is to point your PS4/PS5 Browser to a public test url, such as https://zecoxao.github.io/psfree/

Alternatively if you want to host the exploit yourself, you can download it here. You’ll want to setup your own host locally.

• We have a guide on how to do that for PS5 here.

Source: via logic-sunrise