PS5: Firmwares 5.10 and 5.50 get “kstuff” support, others being worked on

Itemzflow running on PS5 5.50 – Screenshot by @madaramk

Test builds of “kstuff” have been provided by developers EchoStretch and Buzzer for users running on PS5 Firmwares 5.10 and 5.50. The 5.50 build was released a few days ago, while 5.10 has already been out for a few weeks. Work is ongoing for other 5.xx firmwares 5.00 and 5.02 (each individual Firmware has different function offsets that need to be found for the tool to work)

This release should be considered a test build for the time being, but will allow users on 5.10 and 5.50 to run a proper Custom firmware (specifically, etaHEN) on their PS5. This, I believe, includes support for PS5 backups.

Buzzer and Echostretch also credit sleirsgoevy, idlesauce , BestPig , and zecoxao (as well as an anonymous friend of his) for these releases

What is kstuff for the PS5?

Note: if you don’t care how your food is cooked, just jump down straight to the “Download and use” section below for links and tutorials.

Things have become a bit hairy and complex with the multiplicity of tools on the PS5 scene, so here’s the obligatory recap:

PS5 Security in short

As you might know/remember, the PS5 has fairly advanced security mechanisms in place. In particular, the OS runs within an Hypervisor, a mechanism similar to a Virtual Machine, which ensures that even privilege escalation to root (aka a kernel exploit) doesn’t fully compromise the device.

Additionally, the PS5 kernel runs in an “eXecute Only” memory space (XOM), meaning it can run, but not be read (even with root privileges).

Typically once the PS4/PS5 scene has a kernel exploit, one of the first things we attempt to do is reverse engineer parts of the Kernel. The goal is to patch parts of the kernel in RAM, at runtime, to deactivate some protections (DRM checks and the like) as well as modify other elements of the system (for example to add functionality, in other words create a Custom Firmware, such as GoldHEN).

With an “eXecute Only” kernel, not only is it impossible to modify the kernel in RAM (XOM means no writing allowed), it’s not even possible to read it! This means no dump is possible, and consequently, reverse engineering of the kernel has been a tough nut to crack (solutions exist and some people have access to at least older versions of the kernel though).

This is where Prosper0GDB and “kstuff” come to the rescue.

Prosper0GDB and kstuff to the rescue

Although modifying/reading the kernel isn’t possible on the PS5 for now, hacker Sleirsgoevy has created a runtime debugger (Prosper0GDB) which is able to modify registers and the stack at runtime. In other words, although we are not able to patch the kernel in RAM, his debugger allows us to patch every instruction at the last minute, just before it gets executed.

The set of functions that Sleirsgoevy has created to patch “interesting” execution paths on the console is what we commonly call “kstuff”. Maybe not technically a “HEN” or Custom Firmware, but those are what I would personally consider to be the “building bricks” for a HEN.

Propser0GDB and kstuff is of course a very powerful toolkit, but without knowing which instructions are what, it was still extremely time consuming for Sleirsgoevy to reverse a specific kernel (4.03 at the time) and the instructions that mattered. And because most functions are located at different places depending on the version of the firmware, the location of interesting instructions to patch (or the “signature” to detect them when they’re about to be executed) changes with every firmware. Hence the need to port this to every single firmware that can be hacked.

This porting process is time consuming and not necessarily trivial, which is why each firmware takes time to get released

Download etaHEN and kstuff for 5.10/5.50

• kstuff (please note that the file can also be found directly on the PS5 R&D discord). This version should work for both 5.50 and 5.10, but just in case, an earlier version (5.10 only) was released here.
• etaHEN latest beta

Source: EchoStretch on the PS5 Discord