Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS5 Jailbreaking       Thread starter PSXHAX       Start date Oct 30, 2022 at 7:36 PM       10      
Status
Not open for further replies.
Proceeding the PlayStation 5 KEX v1.01 and IPV6 PS5 Kernel Exploit 3.xx-4.xx, today PS5Scene developer @SpecterDev announced on Twitter a PS5 IPV6 Kernel Exploit v1.02 Update alongside a Homebrew PS5SDK work-in-progress (WIP) following the previously leaked PS5 DevKit to build payloads / files compatible with the ELF Loader in the PS5 WebKit+Kernel Exploit chain. :geek:

Download: PS5-IPV6-Kernel-Exploit-v1.02.zip / GIT / PS5SDK-v0.1.zip / GIT

PS5 IPV6 Kernel Exploit v1.02 Changelog:
  • Adds support for firmwares 3.00, 3.20, 3.21, 4.02, and 4.51 (3.10 and 4.00 are partially supported) (thanks ChendoChap).
  • Now cleans up fds after exploitation so child processes don't inherit a bunch of resources unnecessarily.
  • Fixed various bugs in the ELF loader where incomplete reads could occur.
  • Added some entrypoint arguments to ELF loader for kernel read/write.
From the PS5 IPV6 Kernel Exploit README.md: PS5 4.xx Kernel Exploit

An experimental webkit-based kernel exploit (Arb. R/W) for the PS5 on <= 4.51FW

Summary

This repo contains an experimental WebKit ROP implementation of a PS5 kernel exploit based on TheFlow's IPV6 Use-After-Free (UAF), which was reported on HackerOne. The exploit strategy is for the most part based on TheFlow's BSD/PS4 PoC with some changes to accommodate the annoying PS5 memory layout (for more see Research Notes section). It establishes an arbitrary read / (semi-arbitrary) write primitive. This exploit and its capabilities have a lot of limitations, and as such, it's mostly intended for developers to play with to reverse engineer some parts of the system.

With latest stability improvements, reliability is at about 80%. This document will contain research info about the PS5, and this exploit will undergo continued development and improvements as time goes on.

Those interested in contributing to PS5 research/dev can join a discord I have setup here.

Exploit should now support the following firmwares:
  • 3.00
  • 3.10 (partially)
  • 3.20
  • 3.21
  • 4.00 (todo)
  • 4.02
  • 4.03
  • 4.50
  • 4.51
Currently Included
  • Obtains arbitrary read/write and can run a basic RPC server for reads/writes (or a dump server for large reads) (must edit your own address/port into the exploit file on lines 673-677)
  • Enables debug settings menu (note: you will have to fully exit settings and go back in to see it).
  • Gets root privileges
Limitations
  • This exploit achieves read/write, but not code execution. This is because we cannot currently dump kernel code for gadgets, as kernel .text pages are marked as eXecute Only Memory (XOM). Attempting to read kernel .text pointers will panic!
  • As per the above + the hypervisor (HV) enforcing kernel write protection, this exploit also cannot install any patches or hooks into kernel space, which means no homebrew-related code for the time being.
  • Clang-based fine-grained Control Flow Integrity (CFI) is present and enforced.
  • Supervisor Mode Access Prevention/Execution (SMAP/SMEP) cannot be disabled, due to the HV.
  • The write primitive is somewhat constrained, as bytes 0x10-0x14 must be zero (or a valid network interface).
How to use
  1. Configure fakedns via dns.conf to point manuals.playstation.net to your PCs IP address
  2. Run fake dns: python fakedns.py -c dns.conf
  3. Run HTTPS server: python host.py
  4. Go into PS5 advanced network settings and set primary DNS to your PCs IP address and leave secondary at 0.0.0.0
    • Sometimes the manual still won't load and a restart is needed, unsure why it's really weird
  5. Go to user manual in settings and accept untrusted certificate prompt, run
  6. Optional: Run rpc/dump server scripts (note: address/port must be substituted in binary form into exploit.js).
Future work
  • Fix-up sockets to exit browser cleanly (top prio)
  • Write some data patches (second prio)
    • Enable debug settings
    • Patch creds for uid0
    • Jailbreak w/ cr_prison overwrite
  • Improve UAF reliability
  • Improve victim socket reliability (third prio)
  • Use a better / more consistent leak target than kqueue (no longer necessary)
  • Make ELF loader support relocations
Using ELF Loader

To use the ELF loader, run the exploit until completion. Upon completion it'll run a server on port :9020. Connect and send your ELF to the PS5 over that port and it'll run it. Assuming the ELF doesn't crash the browser, it can continue to run ELFs forever.

Exploit Stages

This exploit works in 5 stages, and for the most part follows the same exploit strategy as theflow's poc.
  1. Trigger the initial UAF on ip6_pktopts and get two sockets to point to the same pktopts / overlap (master socket <-> overlap spray socket)
  2. Free the pktopts on the master socket and fake it with an ip6_rthdr spray containing a tagged tclass overlap.
  3. Infoleak step. Use pktopts/rthdr overlap to leak a kqueue from the 0x200 slab and pktopts from the 0x100 slab.
  4. Arbitrary read/write step. Fake pktopts again and find the overlap socket to use IPV6_RTHDR as a read/write primitive.
  5. Cleanup + patch step. Increase refcount on corrupted sockets for successful browser exit + patch data to enable debug menu and patch ucreds for uid0.
  6. Run ELF loader server that will accept and load/run ELFs. Currently WIP, does not support relocations at the moment.
Stability Notes

Stability for this exploit is at about 30% 80-90%, and has two potential points of failure. In order of observed descending liklihood:
  1. Stage 1 fails to reclaim the UAF, causing immediate crash or latent corruption that causes crash.
  2. Stage 4 fails to find a victim socket
Research Notes
  • It appears based on various testing and dumping with the read primitive, that the PS5 has reverted back to 0x1000 page size compared to the PS4's 0x4000.
    • After further research, the page size is indeed still 0x4000, however due to some insane allocator changes, different slabs can be allocated in the same virtual page.
  • It also seems on PS5 that adjacent pages rarely belong to the same slab, as you'll get vastly different data in adjacent pages. Memory layout seems more scattered.
  • Often when the PS5 panics (at least in webkit context), there will be awful audio output as the audio buffer gets corrupted in some way.
  • Sometimes this audio corruption persists to the next boot, unsure why.
  • Similar to PS4, the PS5 will require the power button to be manually pressed on the console twice to restart after a panic.
  • It is normal for the PS5 to take an absurd amount of time to reboot from a panic if it's isolated from the internet (unfortunately). Expect boot to take 3-4 minutes.
Contributors / Special Thanks
Thanks to testers
  • Dizz (4.50/4.51)
:arrow: And from the homebrew PS5SDK README.md: PS5 ***

An *** to build payloads/ELF files compatible with the loader in the PS5 WebKit+Kernel Exploit chain.

Note: As this *** is a work-in-progress, it's subject to major changes between releases until it approaches a stable version (1.0).

This repository contains source code and documentation for a work-in-progress Software Development Kit (***) for the PS5. It contains the headers, libraries, and helpers to build ELF files for the PS5. Currently, it's intended mostly for payloads to load into the WebKit-based ELF loader, though it can also be used for simple homebrew. It cannot build full proper applications at the moment, as we do not have full homebrew support.

Header files as well as the C Runtime (CRT) is a WIP and will require updating; feel free to fork and submit pull requests to update support. This is especially true for Sony-specific library functions.

C++ standard library (STL) is not supported, though bare-metal C++ should work.

Entrypoint

For applications/payloads, payload_main() is the entry routine. It takes a struct payload_args pointer for an argument. These arguments are provided by WebKit when loading the ELF. They contain information necessary for dlsym as well as kernel hacking if needed. This struct is provided in the ps5/payload_main.h header, and should be included in every project.
Code:
struct payload_args
{
dlsym_t* dlsym;
int *rwpipe;
int *rwpair;
uint64_t kpipe_addr;
uint64_t kdata_base_addr;
int *payloadout;
};
dlsym and payloadout should be ignored as they're used by the CRT internally. rwpipe, rwpair, and kpipe_addr should be passed through to kernel helper kernel_init_rw() for internal use. kdata_base_addr is provided for convenience for kernel hacking. To see how these args should be used and how kernel hacking works, see the pipe_p!rate example.

Kernel hacking support

Some examples (such as pipe_p!rate) are firmware-dependent as they have offsets that are specific to that FW. For these types of projects, ensure the PS5SDK_FW environment variable is set. For example, if you're targeting 4.03, PS5SDK_FW should be set to 0x403. Below are currently supported firmwares for kernel hacking:
  • 3.00 (0x300)
  • 3.20 (0x320)
  • 3.21 (0x321)
  • 4.02 (0x402)
  • 4.03 (0x403)
  • 4.50 (0x450)
  • 4.51 (0x451)
Offsets that are common such as ones used by examples are in /ps5/kernel_offsets.

There is a kernel_helper header and CRT support for arbitrary read/write. For more information, see docs/kernel_hacking.md

Dependencies
  • CMake (version >= 3.20)
  • Ninja
  • Clang/lld
Build system

This *** utilizes cmake and ninja for it's build system. The toolchain file can be found at cmake/toolchain-ps5.cmake. If you wish to build a project outside the source tree, ensure to set the PS5SDK environment variable to the root path of this repository.

The root CMakeLists.txt builds the CRT in /crt and /examples projects. Each example project has it's own build files, which can be referenced or copied to use in your own projects.

Build instructions

First, clone or extract this *** to a directory, and set the PS5SDK environment variable to point to it. These instructions can be used for the *** root as well as any projects that use the example CMakeLists. The *** library must be built first if you're not using a release version.

CLI

Note: The build.sh script contains the below commands to run easily, assuming the PS5SDK env var is set.

1. Configure cmake.​
Code:
$ cmake -G Ninja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_TOOLCHAIN_FILE=$PS5SDK/cmake/toolchain-ps5.cmake .
2. Build with ninja​
Code:
$ ninja
Clion IDE
  1. Go to File -> Settings -> Build, Execution, Deployment -> CMake
  2. Set "CMake options":
Code:
-G Ninja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_TOOLCHAIN_FILE=[PS5 *** root]/cmake/toolchain-ps5.cmake .
  1. Set "Environment" to environment variables
Code:
PS5SDK=[PS5 *** root]
PS5SDK_FW=[target FW]
VSCode
  1. Ensure ninja is available on your system and can be found in your PATH.
  2. You may need to update CMakePresets.json's toolchainFile path to [PS5 *** root]/cmake/toolchain-ps5.cmake, particularly if building outside the source tree.
  3. Once you open the project, it should prompt to configure cmake. Alternatively, go to the "CMake" tab and "Configure All Projects" + "Build All Projects"
Dlsym

Dynamic library symbols are resolved at runtime via dlsym() from libkernel. This is handled by the CRT before the payload entrypoint is ever called. Libraries that are supported in the *** will have a source file in /crt as well as an accompanying header file in /ps5. Over time, we'll add resolving and declarations for more functions.

To start with, most standard library functions from libkernel/libc have been added. There are a few Sony functions which have been added thanks to reversing from the PS4 efforts.

See docs/dlsym.md for more information on how to add support for functions or libraries.

License

This project is licensed under the GPLv2 license - see the LICENSE file for details.

Maintainers + Special Thanks
  • Specter (lead maintainer)
  • Znullptr (lead maintainer)
  • ChendoChap (lead maintainer)
PS5 IPV6 Kernel Exploit v1.02 Update & Homebrew PS5SDK WIP.jpg
 

Comments

helix0

Member
Contributor
Verified
Hi - after a very lengthy time watching eBay auctions, I finally got my hands on a 4.03 firmware PS5. Whilst we wait for a full jailbreak, could anybody advise whether this is best left on a shelf or whether I could buy a game like Fifa23 disc to play offline... in other words do retail discs require firmware updates and if so, is there a way to determine which retail games are 4.03 or earlier?

I really don't want to risk the kids accidentally applying an update or something so would prefer it if it didn't say "click x to install" etc.!

Thanks
 
Status
Not open for further replies.
Top