Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS5 Jailbreaking       Thread starter PSXHAX       Start date Oct 12, 2022 at 6:08 PM       19      
Status
Not open for further replies.
Following PS4GDB, PS4GDB_Desktop, the RING0GDB PS4 Payload, PS5 IDA Plugin and PS5 Kernel Exploit v1.01 developer chendochap backported the PS5 IPV6 Kernel Exploit 3.xx-4.xx adding partial (WIP) support for Firmware 3.00, 3.10, 3.21, 4.00 and 4.02 with 3.20, 4.03, 4.50 and 4.51 support alongside PS5Scene developer @sleirsgoevy sharing on Twitter news of a work-in-progress PlayStation 5 Debugger dubbed Prosper0GDB. :geek:

Download: PS5-IPV6-Kernel-Exploit-wip_branch.zip / GIT / prosper0gdb (Limited 4.03 kernel singlestep) / prosper0gdb (Add functions to access dr[0-36-7])

From the PS5 IPV6 Kernel Exploit experimental webkit-based kernel exploit (Arb. R/W) for PS5s on 3.xx-4.xx README.md: PS5 4.xx Kernel Exploit

Summary


This repo contains an experimental WebKit ROP implementation of a PS5 kernel exploit based on TheFlow's IPV6 Use-After-Free (UAF), which was reported on HackerOne. The exploit strategy is for the most part based on TheFlow's BSD/PS4 PoC with some changes to accommodate the annoying PS5 memory layout (for more see Research Notes section). It establishes an arbitrary read / (semi-arbitrary) write primitive. This exploit and its capabilities have a lot of limitations, and as such, it's mostly intended for developers to play with to reverse engineer some parts of the system.

With latest stability improvements, reliability is at about 80%. This document will contain research info about the PS5, and this exploit will undergo continued development and improvements as time goes on.

Those interested in contributing to PS5 research/dev can join a discord I have setup here.

Exploit should now support the following firmwares:
  • 3.00 (partially)
  • 3.10 (partially)
  • 3.20
  • 3.21 (potentially partially)
  • 4.00 (potentially partially)
  • 4.02 (potentially partially)
  • 4.03
  • 4.50
  • 4.51
Currently Included
  • Obtains arbitrary read/write and can run a basic RPC server for reads/writes (or a dump server for large reads) (must edit your own address/port into the exploit file on lines 673-677)
  • Enables debug settings menu (note: you will have to fully exit settings and go back in to see it).
  • Gets root privileges
Limitations
  • This exploit achieves read/write, but not code execution. This is because we cannot currently dump kernel code for gadgets, as kernel .text pages are marked as eXecute Only Memory (XOM). Attempting to read kernel .text pointers will panic!
  • As per the above + the hypervisor (HV) enforcing kernel write protection, this exploit also cannot install any patches or hooks into kernel space, which means no homebrew-related code for the time being.
  • Clang-based fine-grained Control Flow Integrity (CFI) is present and enforced.
  • Supervisor Mode Access Prevention/Execution (SMAP/SMEP) cannot be disabled, due to the HV.
  • The write primitive is somewhat constrained, as bytes 0x10-0x14 must be zero (or a valid network interface).
How to use
  1. Configure fakedns via dns.conf to point manuals.playstation.net to your PCs IP address
  2. Run fake dns: python fakedns.py -c dns.conf
  3. Run HTTPS server: python host.py
  4. Go into PS5 advanced network settings and set primary DNS to your PCs IP address and leave secondary at 0.0.0.0
    • Sometimes the manual still won't load and a restart is needed, unsure why it's really weird
  5. Go to user manual in settings and accept untrusted certificate prompt, run
  6. Optional: Run rpc/dump server scripts (note: address/port must be substituted in binary form into exploit.js).
Future work
  • Fix-up sockets to exit browser cleanly (top prio)
  • Write some data patches (second prio)
    • Enable debug settings
    • Patch creds for uid0
    • Jailbreak w/ cr_prison overwrite
  • Improve UAF reliability
  • Improve victim socket reliability (third prio)
  • Use a better / more consistent leak target than kqueue (no longer necessary)
  • Make ELF loader support relocations
Using ELF Loader

To use the ELF loader, run the exploit until completion. Upon completion it'll run a server on port :9020. Connect and send your ELF to the PS5 over that port and it'll run it. Assuming the ELF doesn't crash the browser, it can continue to run ELFs forever.

Exploit Stages

This exploit works in 5 stages, and for the most part follows the same exploit strategy as theflow's poc.
  1. Trigger the initial UAF on ip6_pktopts and get two sockets to point to the same pktopts / overlap (master socket <-> overlap spray socket)
  2. Free the pktopts on the master socket and fake it with an ip6_rthdr spray containing a tagged tclass overlap.
  3. Infoleak step. Use pktopts/rthdr overlap to leak a kqueue from the 0x200 slab and pktopts from the 0x100 slab.
  4. Arbitrary read/write step. Fake pktopts again and find the overlap socket to use IPV6_RTHDR as a read/write primitive.
  5. Cleanup + patch step. Increase refcount on corrupted sockets for successful browser exit + patch data to enable debug menu and patch ucreds for uid0.
  6. Run ELF loader server that will accept and load/run ELFs. Currently WIP, does not support relocations at the moment.
Stability Notes

Stability for this exploit is at about 30% 80-90%, and has two potential points of failure. In order of observed descending liklihood:
  1. Stage 1 fails to reclaim the UAF, causing immediate crash or latent corruption that causes crash.
  2. Stage 4 fails to find a victim socket
Research Notes
  • It appears based on various testing and dumping with the read primitive, that the PS5 has reverted back to 0x1000 page size compared to the PS4's 0x4000.
    • After further research, the page size is indeed still 0x4000, however due to some insane allocator changes, different slabs can be allocated in the same virtual page.
  • It also seems on PS5 that adjacent pages rarely belong to the same slab, as you'll get vastly different data in adjacent pages. Memory layout seems more scattered.
  • Often when the PS5 panics (at least in webkit context), there will be awful audio output as the audio buffer gets corrupted in some way.
  • Sometimes this audio corruption persists to the next boot, unsure why.
  • Similar to PS4, the PS5 will require the power button to be manually pressed on the console twice to restart after a panic.
  • It is normal for the PS5 to take an absurd amount of time to reboot from a panic if it's isolated from the internet (unfortunately). Expect boot to take 3-4 minutes.
Contributors / Special Thanks
Thanks to testers
  • Dizz (4.50/4.51)
Now, provided you have kernel offsets
No need if you know where the functions are :thumbup:
Idk what to tell you, the reason why you can't do anything currently is because of XOM (enforced by HV) and not able to read where the functions are. If you know where they all are disable CFI and call like normal in kernel context 🤷‍♂️
So if someone has a dump, either from decrypting or defeating HV. And give you the offsets/dumps required, making a kernel payload that disables CFI and calls functions doesn't need bypassing HV at all afaik (could be mistaken for newer firmwares tho)
no p!racy yet. needs auth info to match the self :)
Looks like the devkit stuff is also left in on the PS5 too 🧐 Maybe one day I can pick up a PS5 to make a toolbox for it 🤔
Seems like most of the cool stuff lives in Sce.Vsh.ShellUI.ReactNativeShellApp.dll. It also looks like the settings menu got a revamp would need some new RE work to do the same as PS4. Lots of debug goodies left behind though!
here are all 4.03 c# dlls
i'll take care of the exes later
you can use dnspy for example, to decompile code and check function names and variable names. this is mono c# without obfuscation
you can also use these dlls source code to e.g. find hidden button combos on PS5 (i'm looking at you 3226_2143)
here are the exes from PS5
remember that you can use dnspy to decompile these :)
  • app.7z (0.23 MB - executables extracted from the PS5 app sprxes)
executables extracted from the PS5 app sprxes
it means that it's the first time someone has dumped system and system_ex modules from PS5 without defeating XOM, which could open more doors for fun things (maybe some extra debug settings like the ones we see in LegendaryOSM's toolbox)
unfortunately this only applies to 4.03 for the time being. with this i'm not saying that people should update tho
Thank you. Some Sony DT_ types no longer exist? instead using normal types. ie not 61000000, but DT_DYNAMIC. Some changed (may be wrong, but seems OK testing):
Code:
61000009 ⇒ 61000041
6100000D ⇒ 61000043
6100000F ⇒ 61000045
61000013 ⇒ 61000047
61000015 ⇒ 61000049
It look like symbol name hashing for NID on PS5 is identical to PS4.
OK. Here's one. In debug settings, D-pad Left + Square + R1 should do something regarding "PsnInGameCommerce".
Start + L3 is something to do toggle a debug menu on / off. Not sure what context. Requires SblRcMgrIsAllowDebugMenuForSettings to return 1.
PT_NOTE and PT_SCE_COMMENT program data are missing from the dump files. File offset in program header points past end of file. Dumping tool isn't able to read these part of the .elf?
This data is not particularly useful, so it's not huge problem. The dump is technically incomplete without them, though.
added a couple button combos to PS5 wiki. thanks to 3226_2143
for the info
There seems to be a hidden debug settings menu that can maybe allow UART logs (You must press Start + L3 with debug settings enabled and it should pop up on your hackable PS5)
New piglet config size 0xa0. Config returned inside web browser
PS5 devkit have 3 mode (release / assist / development), testkit only 2 (release / assist)
If the debug menu is enabled you can supply debug configuration via /usb/0-7/webbrowser_dialog_config.json.
:arrow: PS5 4.03 HEN PS4 FPKG Enabler Payload & Porting Offsets by Sleirsgoevy!
PS5 IPV6 Kernel Exploit 3.xx-4.xx & Prosper0GDB PS5 Debugger (WIP).jpg
 

Comments

Status
Not open for further replies.
Back
Top