PS5 Kernel exploit: Flat_z implementations released, writeup on the exploit, and Firmware limitations
A lot has happened in the few days that followed a huge vulnerability disclosure in FreeBSD, which has been confirmed to impact the PS5. Specifically, implementations compatible with the PS5 are already being published, a full writeup on how to exploit the vulnerability is out there, and the bug has been apparently patched in PS5 Firmware 8.00. Read on for details.
PS5 Kernel vulnerability – most likely patched with Firmware 8.00
FreeBSD released a security advisory for a critical vulnerability in their OS. The vulnerability has been confirmed to impact the PS5, and had apparently been used, under the hood, by several hackers or hacker groups, even before the disclosure.
PlayStation hacker flat_z has stated on discord that Sony have patched the exploit with PS5 Firmware 8.00. This means all PS5 Firmwares up to 7.61 included are impacted by the vulnerability. If you have a PS5 o a low firmware, good for you. If not, now might be the best time to find one while they’re still cheap. If you go hunting for a low firmware PS5 though, do understand that as long as nothing is released, you might end up with just an expensive PS5. Best case scenario, be reminded that a hacked PS5 nowadays can only run a limited selection of homebrew, and PS4 “backups”.
It appears that Sony didn’t “purposefully” patch the exploit ages before it was even known, but rather did a significant cleanup of their code when working on Firmware 8.00, which ended up patching a significant amount of vulnerabilities. This exploit being voided with Firmware 8.00 was apparently a side effect of that. As stated by Zecoxao:
to everyone that did not understand flatz’s words: it’s likely that sony never intended to fix this bug, and accidentally “fixed” it on 8.00 by patching syscall and libkernel access from the main contenders such as bluray java, webkit and ps2 games…
— Jose Coixao (@notnotzecoxao) September 13, 2024
FreeBSD Vulnerability: Writeup on Access Vector and VM Framework by Fail0verflow
It seems multiple security researchers had discovered the vulnerability beforehand, and had kept it under wraps until now. AccessVector have a detailed writeup of the vulnerability at https://accessvector.net/2024/freebsd-umtx-privesc and stated they will release a PoC. That PoC will most likely not be PS5 specific though, but the writeup is a good starting point for anyone wanting to understand the details of the exploit.
Fail0verflow claim they’ve had access to this vulnerability for two years now, and have a good framework designed to run the exploit in a “PS5 like” FreeBSD environment. If you want to look at the implementation and run it in a VM for debugging, check out their github at https://github.com/fail0verflow/ps5-umtxdbg/ . No writeup about this exploit on their blog yet.
PS5 Exploit for Firmware 7.61 and below – Flat_z releases implementations for BD-JB and Lua
Flat_z has released two implementations of the exploit earlier today. One intended to run with the BD-JB usermode exploit (you will need a Disc-based PS5 to run this one, as well as a Blu-Ray disc burner and some writeable discs, to burn the exploit on Blu-Ray). The other one, which will be interesting in particular for those on a Digital PS5, apparently involves loading the exploit in a Lua script.
It has been hinted that some specific game on the PS Store uses Lua scripting (maybe as part of its saves or configuration), and I’m assuming you will be able to tweak the lua files of the game, in order to trigger a usermode exploit which will in return load this FreeBSD exploit. This system will most likely work like Mast1c0re, meaning you will need a way to decrypt/encrypt these files from and to your PS5. The known ways to do that currently are to used a hacked PS4 (or ask someone with a hacked PS4 to do it for you), and/or to use a service such as Save Wizard (this is a paid-for service that I have never used so I can’t personally vouch for it.).
It will most likely be impossible to actually purchase and install the exploitable game while fulfilling the requirement of being on firmware 7.61 or below. This means people on a Digital edition of the PS5 will either need to be extremely lucky (aka already own the game in question, or a game will similar exploits), or wait for a new entry point (e.g. webkit) at the moment. It’s also very likely that Mast1c0re could be leveraged to run the exploit here as well, given time. So if you jumped aboard the mast1c0re exploit back in the day and own Okage: Shadow King on your PS5, I would assume something might come your way eventually.
Download PS5 exploit implementations by flat_z
(source)
Note: These implementations do nothing on their own: they need respectively to compiled within the BD-JB framework, or encrypted and run within a yet-to-be-announced game
Flat_Z has also stated the exploit is neither a usermode not a kernel exploit, and at this point I’m personally confused as to what that technically means. I’ve always assumed an exploit either gives you an entry point (lets you inject malicious data as a regular user, aka usermode exploit), or lets you do privilege escalation (aka kernel exploit) , but it seems I’m too old for the new world of computer security. Update: that specific point was about another vulnerability, recently disclosed to Sony by TheFloW, and not related to the exploit discussed in this article. My apologies for the confusion.
Again, at this point, if you happen to have a PS5 on firmware 7.61 or below, stay put. You can test the releases above if you’re technically savvy, but otherwise we’re still in waiting mode.
The last screenshot where flat_z is saying this is not a kernel exploit he was talking about the recent hackerone report of theflow0.
wuhu mine is on 7.4 and its the disc one so great now i just need blurays and a blu ray burner lol like the ps2 back then f yes nostalgia
I actually think you need the burner to make a disk that jailbreaks the console, not disks with backed up games. Games would stay on the HDD (my assumptions)
i know but i needed a burned dvd too for hacking the ps2 u needed og and a copy with an elf modified.
I assume I’m too dumb to understand but if I got a BlueRay burner and BR disks, can I run a jailbreak at this state?
I kinda didn’t understand but I’m stupid enough to fork whatever is necessary to have a console capable of running backups and such.
In case you’re going to suggest I get a hackable console, boy, I searched relentlessly within my scope and didn’t find any.
unfortunate 8.6 user here still waiting for an exploit
Wonder if games could be downgraded for firmware 5 or simply update to latest stable when released and stable enough.
And this is what I get for updating a firmware 7.50 PS5 last week in order to play Astro Bot…
It is a very damned good game, though. So I suppose I can’t be too upset.
flat_z was referring to theflow’s rce bug for which he was rewarded in H1 when he said it’s not kernel exploit, not user mode exploit and rce in discord. It’s nothing to do with this recently reported freebsd umtx vulnerability. flat_z’s umtx implementations are implementation of kernel exploit.
Thanks for the clarification and my apologies for the confusion. I have updated the article
Finally my PS5 7.00 is going to get some more use. Going to need that bluray burner…
Thanks folks for the comments. I was worried when it says flat_z said it isn’t a kernel exploit. But thankfully, he was talking about something else. I’m so excited I can finally jailbreak my PS5! Thank you, talented scene members!
I hope Astro Bot can get backported. It probably won’t happen until a kernel exploit for newer firmware comes out. 🙁
up yours
“…be reminded that a hacked PS5 nowadays can only run a limited selection of homebrew, and PS4 “backups”.”
Is this the case? I thought previous hacs are running PS5 backups, or is it different for this?
to my knowledge it isn’t publicly possible to run PS5 backups on any PS5 hack at the moment. There’s always a possibility I’m wrong though!
I just double checked and reached out to my friend that I help set up some time ago with firmware 4.03 and he confirmed that he is loading PS5 backups. I also just searched online and saw Modded Warfare details how to with ItemzFlow (search goggle: “How to Load PS5 Game Backups with Itemzflow”).
Not arguing, just trying to find out if I am crazy and/or it is worth it. Hoping so since mine is on 6.xx)
Yup, another mistake on my end. You are correct.
You absolutely can run some PS5 backup games, but they are only the games that can run on FW 4.Xor lower which currenlty are not a lot.
You are correct, that was my bad, I had totally forgotten this was a thing
yeah but even weirder is that not all games work. demon’s souls still doesn’t work despite being a release title. possibly due to needing actual hypervisor bypass.
Flat_z, you are huge! My 6.50 Disc PS5 has been waiting patienty for two years.
Big kudos to you and all involved!
By the time these so-called “security researchers” finally crack the protection, even their own PS5 units will die out. Ffs, these idiots are slow, they didn’t even hack the PS4 firmwares properly, and they focused on PS5, where we all have to *** wait for an exploit? It’s idiotic from them, they should either hack the console now or just give up on that *** as they suck.
*** DUDE!!!!
so correct me if im wrong, you call these people “idiots”!!!! they are absolute genius, the only “idiot” people i see are the ones that cant understand anything about security and the depth of knowledge needed to do this kind of stuff and wont shut up and keep complaining.
you guys are just like the beggars on the side of the street insulting the people going around you to give you free stuff, just shut your mouth and wait for them to release something for us, they are NOT our servants, they do NOT owe us anything.
you sir are the absolute definition of IDIOT
Jeezus man. Go check your attitude. They owe NOTHING, they could just keep everything to themselves and never release anything.
No need for you to wait for those “slow ” researchers. You are more than capable to do it yourself.
now i know we want to rag on the guy, but i’ll be the first to admit… I am not capable. XD
Why don’t you do it then??
they are hand and hand with sony unfortunately sold there souls to sony hence why they are keeping the exploits for themselves and there friends is a two tier thing they sell there bugs to sony and sony tell them what they can disclose there scared greedy nerds with no life essentially not one of them could make a kid. they talk about there need for time away but then post clickbait do yourself a favour buy your games and enjoy your consoles
*their
@istartedthis You know you could buy two consoles if you’re that bothered. You either like modding or you don’t, why come check for exploits if you’re just going to complain whenever they post their progress?
Also they use that Hacker One project mostly to not get sued – the financial reward is just the cherry on top. Look at what happened to GeoHot, he didn’t use the Hacker One project and got taken to court by Sony.
And here you are. Ungrateful like a child.
Hello,
I have a question regarding the PS5 firmware update. My PS5 console currently has firmware version 7.0. For over a year, I have been waiting to play games that require firmware 7.61, as I have purchased some game discs for my child that need this version. However, I have been hesitant to upgrade because many people recommend staying on the lowest firmware available.
Could you please advise whether I should upgrade from 7.0 to 7.61, or if it would be better to wait for a potential jailbreak?
Thank you.
don’t update, going from 7.0 to 7.61 does not give you any huge benefit so its worth the wait to see if any jb comes up, as for your kid there are plenty ps4 physical games out there you can get to keep him entertained
at this point, all work is going into 7.61. now it’s very likely that if 7.61 gets broken, then 7.0 will be also, eventually. 4.03 was the golden firmware for a better breakthrough than what we have now through 4.51. it’s also likely that games will be backported all the way back to the earliest jailbreakable firmware. but unless you’re already that low, it’s unlikely that a miracle will occur for 7.0 and NOT 7.61. now as for the discs, you will not be able to play them unless you update to the required firmware. also, those games (as dumps) are not guaranteed to work with the current level of backup compatibility we have now. so after all that taken into account, i’d probably chance it and update to 7.61 right now to play those discs immediately. i’m on 4.51, so i’ll stay put if they can backport game dumps.
Mine’s on 7.00 too, Just WAIT until they release everything needed to do the exploit then look at your options.
Update now and you will have less options in the future.
You’ve waited a year, you can do a few more weeks.
My 4.x console just sitting pretty.
why does it say ps5.hen can run ps4 backups and some homebrew? ps5 backups work with itemzflow…