Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Mar 14, 2018 at 5:52 PM       79,768       160            
Status
Not open for further replies.
Following the 5.01 PS4 WebKit Exploit and 5.50 PS4 WebKit Exploit Rewrite, today @thierry passed along word on Twitter that he ported qwertyoruiop's PlayStation 4 v5.50 Userland Exploit to 5.03 Firmware with details below. :geek:

Download: ps4-5.03-webkit-exploit-master.zip / GIT

To quote from the README.md: PS4 WebKit Exploit for Firmware 5.03

Information


A port of the PS4 5.50 WebKit exploit by qwertyoruiopz. Port possible thanks to the offsets from the 5.01 PoC by Alex and qwertyoruiopz's gadget finder code included in the exploit.

It should work for firmwares 5.01 - 5.05 but the gadget offsets might need to be changed for the other versions.

Changes
  • Added a check to not list the current and parent directory directories when browsing the browser directories
Reference
Code:
0x5E8024AC -> 0x5E4024AC
Only difference between 5.05 and 5.03 exploit wise, wasted all day rewriting the whole thing just to get this. At least it was a learning experience.
From Pastebin.com: PS4 5.03 Offsets
Code:
#define kdlsym_addr__mtx_lock_flags                        0x00401C90
#define kdlsym_addr__mtx_lock_sleep                        0x00401D30
#define kdlsym_addr__mtx_unlock_flags                      0x00401F60
#define kdlsym_addr__mtx_unlock_sleep                      0x00402060
#define kdlsym_addr__sceSblAuthMgrGetSelfInfo              0x0063CD00
#define kdlsym_addr__sx_slock                              0x000F5C30
#define kdlsym_addr__sx_sunlock                            0x000F5F10
#define kdlsym_addr__sx_xlock                              0x000F5E10
#define kdlsym_addr__sx_xunlock                            0x000F5FD0
#define kdlsym_addr__vm_map_lock_read                      0x0019F140
#define kdlsym_addr__vm_map_unlock_read                    0x0019F190
#define kdlsym_addr_AesCbcCfb128Decrypt                    0x003A2DC0
#define kdlsym_addr_AesCbcCfb128Encrypt                    0x003A2B90
#define kdlsym_addr_allproc                                0x02382FF8
#define kdlsym_addr_allproc_lock                           0x02382F98
#define kdlsym_addr_copyin                                 0x001EA710
#define kdlsym_addr_copyinstr                              0x001EAB40
#define kdlsym_addr_critical_enter                         0x0028E7A0
#define kdlsym_addr_critical_exit                          0x0028E7B0
#define kdlsym_addr_dmem_start_app_process                 0x002469F0
#define kdlsym_addr_eventhandler_register                  0x001EC400
#define kdlsym_addr_exec_new_vmspace                       0x0038ACD0
#define kdlsym_addr_faultin                                0x00006DD0
#define kdlsym_addr_fget_unlocked                          0x000C34B0
#define kdlsym_addr_fpu_kern_ctx                           0x0274C040
#define kdlsym_addr_fpu_kern_enter                         0x001BFF90
#define kdlsym_addr_fpu_kern_leave                         0x001C0090
#define kdlsym_addr_free                                   0x0010E460
#define kdlsym_addr_gpu_va_page_list                       0x0271E208
#define kdlsym_addr_icc_nvs_read                           0x003957F0
#define kdlsym_addr_kern_close                             0x000C0EC0
#define kdlsym_addr_kern_mkdirat                           0x00340B90
#define kdlsym_addr_kern_open                              0x0033B970
#define kdlsym_addr_kern_openat                            0x0033B9D0
#define kdlsym_addr_kern_readv                             0x00153248
#define kdlsym_addr_kern_reboot                            0x0010D390
#define kdlsym_addr_kern_sysents                           0x0107C610
#define kdlsym_addr_kern_thr_create                        0x001BE1F0
#define kdlsym_addr_kernel_map                             0x01AC60E0
#define kdlsym_addr_kmem_alloc                             0x000FCC80
#define kdlsym_addr_kmem_free                              0x000FCE50
#define kdlsym_addr_kproc_create                           0x00137DF0
#define kdlsym_addr_kthread_add                            0x00138360
#define kdlsym_addr_kthread_exit                           0x00138640
#define kdlsym_addr_M_MOUNT                                0x019BF300
#define kdlsym_addr_M_TEMP                                 0x014B4110
#define kdlsym_addr_malloc                                 0x0010E250
#define kdlsym_addr_memcmp                                 0x00050AC0
#define kdlsym_addr_memcpy                                 0x001EA530
#define kdlsym_addr_memmove                                0x00073BA0
#define kdlsym_addr_memset                                 0x00320580
#define kdlsym_addr_mini_syscore_self_binary               0x014C9D48
#define kdlsym_addr_mtx_init                               0x00402740
#define kdlsym_addr_mtx_lock_sleep                         0x00401D30
#define kdlsym_addr_mtx_unlock_sleep                       0x00402060
#define kdlsym_addr_pfind                                  0x004034A0
#define kdlsym_addr_pmap_activate                          0x002EAFD0
#define kdlsym_addr_printf                                 0x00436000
#define kdlsym_addr_prison0                                0x010986A0
#define kdlsym_addr_proc0                                  0x01AA4600
#define kdlsym_addr_proc_reparent                          0x00035330
#define kdlsym_addr_proc_rwmem                             0x0030D150
#define kdlsym_addr_realloc                                0x0010E590
#define kdlsym_addr_rootvnode                              0x022C1A70
#define kdlsym_addr_RsaesPkcs1v15Dec2048CRT                0x001FD7D0
#define kdlsym_addr_sbl_eap_internal_partition_key         0x02790C90
#define kdlsym_addr_sbl_pfs_sx                             0x0271E5D8
#define kdlsym_addr_sceSblAuthMgrIsLoadable2               0x0063C4B0
#define kdlsym_addr__sceSblAuthMgrSmStart                  0x006418A0
#define kdlsym_addr_sceSblAuthMgrSmVerifyHeader            0x00642B00
#define kdlsym_addr_sceSblAuthMgrVerifyHeader              0x0063C510
#define kdlsym_addr_sceSblDriverSendMsg                    0x0061D7B0
#define kdlsym_addr_sceSblGetEAPInternalPartitionKey       0x006256A0
#define kdlsym_addr_sceSblKeymgrClearKey                   0x0062DAD0
#define kdlsym_addr_sceSblKeymgrSetKeyForPfs               0x0062D740
#define kdlsym_addr_sceSblKeymgrSmCallfunc                 0x0062E260
#define kdlsym_addr_sceSblPfsSetKeys                       0x0061EF60
#define kdlsym_addr_sceSblServiceMailbox                   0x00632500
#define kdlsym_addr_sceSblACMgrGetPathId                   0x000117E0
#define kdlsym_addr_self_orbis_sysvec                      0x019BBCD0
#define kdlsym_addr_Sha256Hmac                             0x002D55B0
#define kdlsym_addr_snprintf                               0x00436310
#define kdlsym_addr_sscanf                                 0x00175900
#define kdlsym_addr_strcmp                                 0x001D0FD0
#define kdlsym_addr_strdup                                 0x001C1C30
#define kdlsym_addr_strlen                                 0x003B7160
#define kdlsym_addr_strncmp                                0x001B8FE0
#define kdlsym_addr_strstr                                 0x0017DFB0
#define kdlsym_addr_sys_accept                             0x0031A130
#define kdlsym_addr_sys_bind                               0x003197E0
#define kdlsym_addr_sys_close                              0x000C0EB0
#define kdlsym_addr_sys_dup2                               0x000BF050
#define kdlsym_addr_sys_fstat                              0x000C1430
#define kdlsym_addr_sys_getdents                           0x00341350
#define kdlsym_addr_sys_kill                               0x000D19D0
#define kdlsym_addr_sys_listen                             0x00319A20
#define kdlsym_addr_sys_lseek                              0x0033D9B0
#define kdlsym_addr_sys_mkdir                              0x00340B10
#define kdlsym_addr_sys_mlock                              0x0013E250
#define kdlsym_addr_sys_mlockall                           0x0013E300
#define kdlsym_addr_sys_mmap                               0x0013D230
#define kdlsym_addr_sys_munmap                             0x0013D9A0
#define kdlsym_addr_sys_nmount                             0x001DE2E0
#define kdlsym_addr_sys_open                               0x0033B950
#define kdlsym_addr_sys_ptrace                             0x0030D5E0
#define kdlsym_addr_sys_read                               0x00152AB0
#define kdlsym_addr_sys_recvfrom                           0x0031B420
#define kdlsym_addr_sys_rmdir                              0x00340E90
#define kdlsym_addr_sys_sendto                             0x0031ACD0
#define kdlsym_addr_sys_setuid                             0x00054950
#define kdlsym_addr_sys_shutdown                           0x0031B660
#define kdlsym_addr_sys_socket                             0x00318EA0
#define kdlsym_addr_sys_stat                               0x0033DFA0
#define kdlsym_addr_sys_unlink                             0x0033D390
#define kdlsym_addr_sys_unmount                            0x001DFC70
#define kdlsym_addr_sys_wait4                              0x00035470
#define kdlsym_addr_sys_write                              0x00152FC0
#define kdlsym_addr_trap_fatal                             0x00171580
#define kdlsym_addr_utilUSleep                             0x00658BF0
#define kdlsym_addr_vm_map_lookup_entry                    0x0019F760
#define kdlsym_addr_vmspace_acquire_ref                    0x0019EF90
#define kdlsym_addr_vmspace_alloc                          0x0019EB20
#define kdlsym_addr_vmspace_free                           0x0019EDC0
#define kdlsym_addr_vsnprintf                              0x004363B0
#define kdlsym_addr_Xfast_syscall                          0x000001C0
#define kdlsym_addr_wakeup                                 0x003FB940

#define kdlsym_addr_avcontrol_sleep                        0x006EAF70
#define kdlsym_addr_eventhandler_deregister                0x001EC790
#define kdlsym_addr_eventhandler_find_list                 0x001EC980

#define kdlsym_addr_kern_ioctl                             0x00153990
#define kdlsym_addr_sceSblRngGetRandomNumber               0x00657A10

#define kdlsym_addr_vm_fault_disable_pagefaults            0x002A6C20
#define kdlsym_addr_vm_fault_enable_pagefaults             0x002A6C50

#define kdlsym_addr_gdt                                    0x01CB90F0

#define kdlsym_addr_destroy_dev                            0x001B9D50
#define kdlsym_addr_make_dev_p                             0x001B9810

#define kdlsym_addr_kproc_exit                             0x00138060

// FakeSelf hooks
#define kdlsym_addr_sceSblAuthMgrIsLoadable__sceSblACMgrGetPathId_hook        0x0063E21D
#define kdlsym_addr_sceSblAuthMgrIsLoadable2_hook                             0x0063E361
#define kdlsym_addr_sceSblAuthMgrSmLoadSelfSegment__sceSblServiceMailbox_hook 0x0064314B
#define kdlsym_addr_sceSblAuthMgrSmLoadSelfBlock__sceSblServiceMailbox_hook   0x00643D62
#define kdlsym_addr_sceSblAuthMgrVerifyHeader_hookA                           0x0063EABC
#define kdlsym_addr_sceSblAuthMgrVerifyHeader_hookB                           0x0063F6D8

// FakePkg hooks
#define kdlsym_addr_sceSblKeymgrSetKeyStorage__sceSblDriverSendMsg_hook       0x00624025
#define kdlsym_addr_sceSblKeymgrInvalidateKey__sx_xlock_hook                  0x0062E92D
#define kdlsym_addr_npdrm_decrypt_isolated_rif__sceSblKeymgrSmCallfunc_hook   0x0064C6E0
#define kdlsym_addr_npdrm_decrypt_rif_new__sceSblKeymgrSmCallfunc_hook        0x0064D4BF
#define kdlsym_addr_mountpfs__sceSblPfsSetKeys_hookA                          0x006AAA95
#define kdlsym_addr_mountpfs__sceSblPfsSetKeys_hookB                          0x006AACC4

// SceShellCore patches - call sceKernelIsGenuineCEX
#define ssc_sceKernelIsGenuineCEX_patchA                   0x0017F4DB
#define ssc_sceKernelIsGenuineCEX_patchB                   0x0079FF6B
#define ssc_sceKernelIsGenuineCEX_patchC                   0x007EC173
#define ssc_sceKernelIsGenuineCEX_patchD                   0x0095068B

// SceShellCore patches - call nidf_libSceDipsw
#define ssc_nidf_libSceDipsw_patchA                        0x00175007
#define ssc_nidf_libSceDipsw_patchB                        0x0023C8DB
#define ssc_nidf_libSceDipsw_patchC                        0x0079FF97
#define ssc_nidf_libSceDipsw_patchD                        0x009506B7

#define ssc_enable_fakepkg_patch                           0x003E55E2

// SceShellCore patches - use free prefix instead fake
#define ssc_fake_to_free_patch                             0x00EB21A7
PS4 WebKit Exploit Port for Firmware 5.03 by Thierry.jpg
 

Comments

Status
Not open for further replies.

Leslie84

Senior Member
Contributor
Where say which firmware is kexploied or not ? by luca or not ?

I think slowly when sony says okay guys we have get our selling numbers on consoles release the kexploit any one do it isnt it so ?

For what we must wait or not ?

Zero Kexploit , for what the 5.03 webkit than ? playing like a child on the web browser for the end user ?

I respect from all devs the worx

peaz :)
 

Leslie84

Senior Member
Contributor
I think it release never a kernel exploit or a CFW in 5.50 or 5.03 but without psn and other like on Ps3 its too boring, stay on 4.55 and enjoy other things i think coming not and release no body. My Feeling.

greets
 

tommasi

Senior Member
Contributor
Exactly!!! Look at the price for PS4 on Amazon with low FW bein sold by Sony. The price for these units jumps to double as soon as Kexploit get released. Plus all these old games are valued for $1 or less, specially when it is in digital format. I only see The kexploit as clearance point for an old console with double the price per unit. It’s a win win for Sony.
 
Status
Not open for further replies.
Recent Articles
Mega Man Zero / ZX Legacy Collection Joins New PS4 Games Next Week
Named one of PlayStation's Most-Wanted PS4 Games of early 2020, next week Capcom's Mega Man Zero / ZX Legacy Collection joins the latest PS4 game releases! 🤩 Mega Man Zero/ZX Legacy Collection...
Golang Library to Read PS4 Controller Evdev Events by Mrasband
Since covering the PyPS4Controller Linux Module in development, this weekend mrasband made available a Golang Library based on the Go Programming Language designed at Google to read PS4 DualShock...
AppendumPS4 v2.00 for PlayStation 4 v5.05 Preview by DeathRGH
Proceeding the AppendumPS4 v1.0 release, this weekend PlayStation 4 developer @DeathRGH shared via Twitter a preview of the AppendumPS4 v2.00 mod menu in development on his YouTube Channel. 😍...
PS4 Renesas RL78 Debug Protocol Implementation by Fail0verflow
Following the PS4 SysCon Renesas Chip Image and updates by droogie, PS4 Glitch Pinout research via @juansbeck and their PS4 Aux Hax Parts 1-4 today fail0verflow shared with PlayStation 4 scene...
Top