PS5: New kernel vulnerability disclosed in FreeBSD, could open the way for a Jailbreak on all firmwares
FreeBSD have published an urgent security advisory this week, disclosing a critical vulnerability in the FreeBSD kernel. Zecoxao has confirmed today, following this official disclosure, that an anonymous friend of his has already leveraged this bug to exploit the PS5. There are still many steps to be taken in order to turn this into a publicly released Jailbreak, though.
TL,DR:
- A new critical bug has been disclosed in FreeBSD. Scene veteran Zecoxao confirmed that it can be leveraged to run a kernel exploit on the PS5
- The bug has also been confirmed to not impact the PS4
- Additional usermode entrypoints are still needed, + a ton of elbow grease, to turn this into a Jailbreak release for the PS5
PS5 Jailbreak, the status, and the latest FreeBSD vulnerability
The PS5 can be jailbroken up to Firmware 4.51 included, so far. That firmware was released in 2021, and it has been progressively harder to find PS5s running such an old firmware, even on the second hand market. The scene had been waiting for a new kernel exploit for quite some time now, and this new announcement might exactly be that.
Earlier this week, FreeBSD published a security advisory, related to CVE-2024-43102, a critical vulnerability in the FreeBSD kernel. As both the PS4 and the PS5 run on the FreeBSD architecture, bugs in that OS typically impact the Sony consoles. Specifically, the issue is as follows:
Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape.
Since the CVE was published, Zecoxao has confirmed on Twitter that at least one hacker has been able to leverage this bug to craft a Kernel exploit on the PS5. However, the scene has also discovered this doesn’t impact the PS4. That’s because the PS4 is based on FreeBSD9, which doesn’t have the bug (vs the PS5’s FreeBSD 11 base)
But it’s on freebsd 11 branch [ps5] this is the line which contains the bug https://t.co/P8xxly3QG7
— Kameleonre_ (@Kameleonre_) September 10, 2024
Zecoxao has also hinted that his anonymous friend will not release their weaponized exploit (or that it’s not entirely ready yet?) , but at least this is a big hint for other security researchers that this is a good bug to look into for a potential PS5 Jailbreak.
no spoonfeeding! its best to learn by doing it yourself 🙂
— Jose Coixao (@notnotzecoxao) September 11, 2024
It is also unclear at this point if all PS5 Firmwares are impacted, or if Sony have been given a heads up to patch the issue ahead of time. The “official” patches were submitted less than a week ago on the FreeBSD codebase though, so it is likely all current PS5 systems are impacted.
Furthermore, a new usermode entry point is needed for this exploit, a way to call the privilege escalation (root access) exploit. This could be a webkit vulnerability or anything else. Those are typically easier to find than kernel exploits, so there’s hope that this aspect is just a matter of time. Zecoxao has shared some potential usermode entry points, developed by hacker DebTy. Those are not confirmed to work on PS4/PS5 yet and need testing. You can point your PS5’s browser to the test url at https://debvt.github.io/Wm/
It will take time before this can be turned into a public release. If you’re excited at the prospect of testing and crashing your console, have a look at the various links above. If you’re just waiting for a full fledged PS5 Jailbreak, you’ll need to be a bit more patient.
Waaaaaaaaaaaaaaaaa!!!!!!!
Woooooo…
Jailbreak for 1.00 up to 7,61 exclusively
Sony patched it on 8.00 update!
No because sony patched it on 8.00 you can be assured that your PS5 PRO will come with the latest firmware WAY higher than 8.00. it is the main reason gamers JUMP on ALL the PS5 bundle that come with firmware 5.00/5.50 ! My main PS5 day one is running at 4.03 and last night i just bought my 2th one 4.50/5.00 Brand new sealed
just in time for the 700 pro!
So nice news to hear.
Keep doping great job guys!
this will definitely be the reason i get a ps5pro now! *looks at wallet* no, nevermind.
No because sony patched it on 8.00
you can be assured that your PS5 PRO will come with the latest firmware WAY higher than 8.00.
it is the main reason gamers JUMP on ALL the PS5 bundle that come with firmware 5.00/5.50 !
My main PS5 day one is running at 4.03 and last night i just bought my 2th one 4.50/5.00 Brand new sealed !
really early to say , i remember we had a lot of hope for pppoe exploit but nothing came out of it for ps5 and it will be a longtime before we get anything.
Yeah, that’s actually a good point. I had high hopes for the PPPwn exploit on PS5 🙁
Been waiting on ps5 4.03 for something to be released and ps5 is in the box, was actually thinking of updating it but guess ill wait.
Does anyone notised that ps4 jailbreak coinsided with the release of ps4 pro, that could have been just a coinsidence, but this time again same week sony announced ps5 pro again coincidence with the potential jailbreak for base ps5. Maybe i am wrong, but my theory is that these are not accidents, but by design from sony, with idea being that lets push the base model to pirated games category, this way it will help to clear the warehouse stock and will be easier to sell your used base model, and people from non pirated sector should by the pro model. Just my theory.
Sir, you can be a detective, thumbs up.
my ps5 7.40 is waiting patiently all these years
You mean 1 year and 3 months, since 7.40 has been released by Sony and considering you’ve bought/updated the console right away?
i love you all SO much you beautiful, gorgeous, awesome people!
this is exactly what i needed after the ps5 pro announcement fiasco.
Did the comments on the previous article just get approved? the counter was at 0 at least the day before yesterday, then it showed up with predated comments after this one existed
Yeah I’ve been a bit lazy and haven’t gone through the moderation queue in a while, sorry about that. (ALL comments are moderated by the way, just in case people are wondering if they’re being unfairly singled out. also, the goal is to filter out obvious spam, not to prevent people from expressing their opinion)
All good. I remember when the spam comments were much more annoying years ago.
So all credit goes to FreeBSD for publishing this information.
Unlike Jose Coixao’s friend who claims to use this bug to an unreleased exploit.
Jose Coixao’s friend could have claimed credit but because they kept it to themselves no bounty reward from Hacker One and no e-fame.
Great news though.
this is exciting
Awesome news wish i wasnt such a lazy unmotivated *”person”* then i would do it myself and of course share it but for now i got problems way bigger than a unhacked console :/
Anyway thank you wololo for always keeping us updated and all the other previous cool stuff you did hbl ninja releases and so on you are a great bro/guy.
RIP Qwik i miss you bro u were an angel and didnt deserve the fate u had 🙁 u did sooooooooooooooooooooooooo much for all of us and for me too
Yup RIP Qwik
Only works up to 7.61 FW
exactly , patched on 8.00
so PS5 PRO = Forget about a CFW on it
$ony patched this way back on 8.00 apparently and “forgot” to warn the free BSD community, those on 7.61 are golden coz BD-JB also works on 7.61
Poopy yay yippee I’m good how are you doing today beautiful and happy birthday to you
yay yippee I’m good how are you
luckly I dont have ps5 😀
wishful thinking that this potential jailbreak can work on a PS5 8.6
forget