Adieu PS4 Kernel Exploit and his confirmation yesterday, today the PS4 scene is LIT AS F*CK for the holidays with the RELEASE of a fully implemented kernel exploit for PS4 v4.05 Firmware by @SpecterDev via Twitter alongside a debug_settings.bin Test Payload! Howbow dah, Sony?
Download: PS4-4.05-Kernel-Exploit-master.zip / GIT / Live Demo via @01cedric / Live Demo (Mirror #2) via @0x199 / Live Demo (Mirror #3) via @Red7s / Live Demo (Mirror #4) via @tunip3 / Live Demo (Mirror #5) via @EdiTzZMoDz / debug_settings.bin (16.23 KB Test Payload)
PS4 Package (PKG) research today PlayStation 4 developer @flatz announced on Twitter that in a few days he'll share some of his recent work so that it can be backported from 4.55 to 4.05 for use on PS4 jailbroken consoles!
To quote from the README.md: PS4 4.05 Kernel Exploit
In this project you will find a full implementation of the "namedobj" kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, does not contain any code related to defeating anti-backups mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port 9020 and will execute them upon receival.
You can find fail0verflow's original write-up on the bug here, you can find my technical write-up which dives more into implementation specifics here (this is still in progress and will be published within the next few days).
The following patches are made by default in the kernel ROP chain:
- Disable kernel write protection
- Allow RWX (read-write-execute) memory mapping
- Dynamic Resolving (sys_dynlib_dlsym) allowed from any process
- Custom system call #11 (kexec()) to execute arbitrary code in kernel mode
- Allow unprivileged users to call setuid(0) successfully. Works as a status check, doubles as a privilege escalation.
- This exploit is actually incredibly stable at around 95% in my tests. WebKit very rarely crashes and the same is true with kernel.
- I've built in a patch so the kernel exploit will only run once on the system. You can still make additional patches via payloads.
- A custom syscall is added (#11) to execute any RWX memory in kernel mode, this can be used to execute payloads that want to do fun things like jailbreaking and patching the kernel.
- An *** is not provided in this release, however a barebones one to get started with may be released at a later date.
- I've released a sample payload here that will make the necessary patches to access the debug menu of the system via settings, jailbreaks, and escapes the sandbox.
I was not alone in this exploit's development, and would like to thank those who helped me along the way below.
Update to a Specific PS4 Firmware: Firmware.v4.05.PS4.iNTERNAL-PS4FW
Those looking to buy a PS4 v4.05 console see the update HERE for a list of bundles most likely to be on 4.05 (or lower) when in new / unopened condition.
- PS4 OFW 4.05 Download Links: Darthsternie
- PS4 OFW 4.05 PUP MD5 Hash: 203c76c97f7be5b881dd0c77c8edf385
For those that prefer to Host Your Own PS4 Webkit Exploit Page see the guide, and below is a tutorial from tunip3 on:
How to Install the Debug Settings or Run Other Payloads on Your PS4 v4.0.5
This guide will not mention how to access the browser. This guide uses Specter's 4.0.5 kernel exploit. You will need to find your PS4 IP on your local network. This guide will also work for linux just replace the nc.exe with nc
- First on your PS4 navigate to tunip3.github.io/PS4exploit
- Next download the two needed files debug_settings.bin (16.23 KB) and nc.exe (49 KB)
- Now cd into the folder where you put the two files from the command line
- Run the command:Code:nc -w 3 [ps4 ip] 9020 < debug_settings.bin
Hope everyone had a Merry Christmas! Here's the 4.05 kernel exploit, fully implemented. Enjoy! Write-up coming soon!
After @SpecterDev released his exploit, i'll prepare stuff within a couple of days, someone need to backport it from 4.55 to 4.05, not hard to do. not sure if it will be a write-up or just snippets of code, let's see
I've also uploaded a test payload you can use after the kernel exploit runs that jailbreaks and patches the kernel to allow access to debug settings, just needs to be netcatted to the loader via port 9020.
[4.05] PS4 DEBUG SETTING BY SPECTER
PS4 4.05 PKG INSTALL
Someone told me this is not working yet. That is not correct. PKG installs fine. The problem is you would need a license file to play the content. PKG must be on root of USB just like on 1.76. Exciting times....
uart enabler for 4.05
Code:uint16_t *securityFlags = (uint64_t *)(kernel_base+0x2001516); *securityFlags = *securityFlags & ~(1 << 15); *(char *)(kernel_base + 0x186b0a0) = 0;
right, i only solder 1 wire (tx on ps4) and attach gnd wire to hdd cage, then using like 5$ uart to usb i listen on arduino(serial montor). very simple.
if anyone wants to continue trying to port the exploit to 3.55 you can use this, i was as far as trying to leak a good object, rop was working etc, just specters leak could never get a suitable object for the exploit on 3.55
Download: 3.55-specterPort.7z (16.48 KB) / PS4 Entrypoint 4.05 by IDC
Download: kernel_355_jig.7z (29.90 MB) / 355_modules.7z (9.83 MB)
Big THANKS to @ArthurBishop, @hyndrid, @Nesterwork, @ombus, @UmarDaBest559 and everyone else in the PSXHAX Shoutbox for this PS4 4.05 full kernel exploit news and let the jailbreaking begin!