PS5: SpecterDev releases umtx Jailbreak for Firmware 5.50 and below. Payloads still need work on 5.xx
Following the release for Firmwares 1.xx and 2.xx just a couple days ago, code has been added to the umtx Jailbreak for PS5, and it now supports Firmwares up to 5.50 included. This is pretty big news, considering that until today, only Firmware 4.51 and below were actually hackable.
However, there are limitations with this Jailbreak for Firmwares 5.00 and above. Read along
PS5 Jailbreak For Firmware 5.50 and below released
SpecterDev has just released an update to his implementation of the umtx exploit chain, porting it to Firmwares 3.xx up to 5.50 included. This means the exploit chain is now working on all Firmwares up to 5.50. Specifically, here is what version 1.2 of this exploit brings:
- Add support for 5.00, 5.02, 5.10, and 5.50FW
- Add support for 4.00, 4.02, 4.03, 4.50FW
- Add support for 3.00 and 3.20FW
- Add support for 2.70 factory FW
- Add support for 1.00 and 1.02 FW
- Added code to make porting easier
If you’re running a PS5 on Firmware 5.50 or below, you can try this exploit right away, using the download links below. Read on for the limitations though, as they are quite impactful right now.
UMTX Jailbreak: Limitations on firmware 5.00 and above
We’ve had a Jailbreak on PS5 for Firmware 4.51 and below for quite some time now. Which means these firmwares, and how to bypass security mitigations on them, is quite well understood. 5.00 and above, however, were uncharted territory until now. It seems Sony have patched some vulnerabilities that were used until now to take control of the PS5 system and execute unsigned code. Dlsym in particular has been used to load additional libraries and functions after privilege escalation. It appears using that code the way the scene has until now isn’t working anymore, at least out of the box. Specifically, rules appear to have been enforced so that a hijacked process (such as Webkit) can’t load libraries it isn’t supposed to. The existing SDK had ways to bypass these restrictions, which appear to not work anymore.
According to SpecterDev, this means changes will be needed in the PS5 scene SDK and the various payloads that have been used so far, as they do not work “as is” on Firmwares 5.xx. Hackers are already thinking of potential solutions using existing features of the Homebrew SDK, and it looks like it might just be a bump in the road rather than a complete showstopper, but only time will tell.
Download PS5 utmx Jailbreak for Firmware 5.50 and below
The code for the exploit can be downloaded on the project’s github at https://github.com/PS5Dev/PS5-UMTX-Jailbreak
To run the exploit, I have an (old) tutorial based on the existing exploit, which should basically work similarly as long as you just replace the files. As always, modded warfare has a tutorial video with the latest and greatest:
@wololo you said : “Following the release for Firmwares 1.xx and 2.xx just a couple days ago, code has been added to the umtx Jailbreak for PS5, and it now supports Firmwares up to 5.50 included. This is pretty big news, considering that until today, only Firmware 4.51 and below were actually hackable.
However, there are limitations with this Jailbreak for Firmwares 5.00 and above. ”
SO the JB is supported 5.00 and below OR 5.50 and below !! ?? .50 is a huge difference considering Forbidden West bundle and God of War Bundle offer 4.50 to 5.00 and the most recent was offering 5.50….
As I understand 5.50 is supported. Technically, up to 7.61 should work given time
People need to understand this :
Bypassing the hypervisor (HV) on the PS5 will not directly allow you to install or run PS5 FPKGs (Fake Packages), as the PS5’s package management system (for games and apps) involves a separate security chip that is responsible for decrypting and validating PS5 PKGs (packages). This is a key difference between the PS4 and PS5.
Key Points:
PS4 PKGs: On the PS4, the package (PKG) system is handled at the kernel level. This means that once kernel access is achieved through an exploit, one can manipulate the system to decrypt and run unauthorized games or apps (FPKGs).
PS5 PKGs: The PS5, on the other hand, uses a dedicated security chip to handle the decryption and validation of its packages (PKGs). Even if you were to bypass the PS5 hypervisor and gain kernel access, the decryption of PS5 PKGs would still require compromising this dedicated chip. Without gaining control over this chip, running fake or unauthorized PS5 games (FPKGs) is not feasible.
This separate chip is part of the PS5’s trusted execution environment (TEE), which provides additional hardware-based security measures, ensuring that package management is isolated from the main CPU and kernel, thus preventing tampering even if the kernel is compromised.
What Would Be Required:
To enable FPKGs or fully compromise the PS5’s package management system, a researcher would need to:
Bypass the hypervisor (to gain kernel-level control).
Compromise the dedicated chip responsible for PKG handling, similar to what would be required in a hardware-level attack on trusted execution hardware.
Conclusion:
While bypassing the hypervisor is a significant achievement, it only grants kernel-level access, which is insufficient for manipulating PS5 games and packages. Accessing or disabling the additional security provided by the hardware chip is necessary to unlock FPKGs on the PS5
Additional Info :
The PS5 employs a Trusted Execution Environment (TEE) that isolates sensitive operations, like handling PS5 PKGs, within dedicated hardware. This TEE provides strong isolation from the system’s kernel, so even if the kernel or hypervisor is compromised, the TEE can still protect cryptographic operations like package decryption. Thus, bypassing the hypervisor alone won’t allow access to PS5 PKGs
It’s going to take something big to get me to shift from 4.03
On X he has it working on 5.xx /Andrew2007__/status/1839679126786998727
The sdk was just updated for 5.xx!