PSFree WebKit Exploit for PS4, QuickHEN, Lua Lapse PS4 / PS5 Kernel Exploit & Laps3c0re / Y2JB

This weekend PS4 Scene developer @CelesteBlue announced on Twitter news of a PSFree WebKit Exploit for PS4 6.00 to 9.60 crediting Sergei Glazunov and Maddie Stone (Twitter) of Project Zero for discovering the vulnerability, anonymous for writing the PSFree Exploit and himself for testing, porting and improvements alongside a QuickHEN PS4 collection incoming of WebKit exploits for PlayStation 4 System Software versions between 3.15 and 9.60 with Kernel exploits between 3.15 and 9.00 only albeit requiring more work and Laps3c0re which is a port of the Lapse kernel exploit implementation by abc using Mast1c0re by McCaulay as an entry point and Y2JB Userland code execution by Gezine using the PS5 YouTube (USA) app v1.03 PKG crediting Remote_Lua_Loader.

Download: psfree-1.2.0.zip (39.93 KB) / GIT / PSFree Exploit (Live Demo) via @zecoxao on Twitter / psfree-beta2.7z (16.34 KB) via abc for 8.0x / psfree-beta3.7z (24.60 KB) via abc / PSFree Beta 3 Version (Live Demo) via Kameleonre_ / psfree-1.3.0.7z (30.30 KB) via abc / psfree-beta-140.7z (37.05 KB) via abc / PS5 Kernel Exploit 3.xx-4.xx (PSFree Integrated Live Demo) / PS5 Exploit Host via idlesauce / PSFree900-main.zip / PSFree900 GIT / PSFree 9.00 FW (Live Demo) via Kameleonre_ / 9.00 FW PSFree with GoldHEN (Live Demo) via ps3120 / 6.72 FW PSFree with GoldHEN via ps3120 / psfree-beta3-140.7z (37.92 KB) via abc / psfree-beta4-140.7z (37.93 KB) via abc / psfree700-main.zip (36.1 KB) / PSFree 7.02 FW via Kameleonre_ / psfree-150b.7z (171.98 KB) by abc via master_s9 / PS5-UMTX-Jailbreak-psfree-150b.zip / GIT Fork via idlesauce / psfree-1.5rc1.7z (193.33 KB) via abc / Mirror

• PS4/PS5 exploit using CVE-2022-22620
• PS4 versions vulnerable: 6.xx-9.xx (tested 6.50-9.60)
• PS5 versions vulnerable: 1.xx-5.xx (tested 1.00-5.50)
• Lapse kernel exploit (based on aio_multi_delete vulnerability Bug Patched on 12.50 PS4) for PS4 5.00-12.50 / PS5 1.00-10.20
• PSFree: A PS4 / PS5 Exploit Chain (Lapse Exploit Live Demo) via @zecoxao aka notnotzecoxao on X
• PSFree Lapse GIT (Fork) by Al-Azif / psfree-lapse.zip (298 KB - Mirror) via @Al Azif aka _AlAzif on X
• psfree_lapse-main.zip (psfree_lapse Latest Version) via Feyzee61 (aka FevziZengin61 on X) / PSFree Lapse GIT (Fork)
• LUA-Lapse (Fork) via @egycnq (egycnq aka egycnq on X)
• hen-1000-1202.bin (10.00-12.02 HEN, includes hen-1000.bin / hen-1001.bin / hen-1050.bin / hen-1070-1071.bin / hen-1100.bin / hen-1102.bin / hen-1150-1152.bin / hen-1200-1202.bin) via @Al Azif aka _AlAzif on X / PS4 HEN (Scene Collective Github)
• laps3c0re-1.01.zip (Latest Version) of Laps3c0re / laps3c0re GIT (Lapse + Mast1c0re) via iMrDJAi aka Djamel
• Y2JB_backup_1.2.1.zip / Y2JB_download0_1.2.1.zip (Latest Version) of Y2JB / Y2JB GIT / BD-JB-1250 GIT (BD-JB for up to PS4 12.50) via Gezine (Sponsor) aka gezine_dev / Y2JB Remote JS Loader (Latest Version) / Y2JB Remote JS Loader GIT Fork via @master s9 (aka MasterPS0 / master_s9) / ps5_y2jb_autoloader (Latest Version) via itsPLK (Sponsor) / PS5 Y2JB Autoloader GIT Fork (Automated payload loader for exploited PS5 consoles)
• PS5 Netflix-N-Hack (Latest Version) by earthonion (Sponsor) / GIT (Inject custom JavaScript into the Netflix PS5 error screen by intercepting Netflix's requests to localhost)
• HenLoader LP (Lapse (9.00-12.02) + Poops (9.00-12.52) exploit)
• Lapse_1.2_Mod.iso / Poops.iso (Latest Version) / Lapse_1.2_MOD (GIT Fork) via ps3120 on X Post
• Luac0re_2.2.zip / Luac0re 2.2 (GIT) (Luac0re is a mast1c0re variation that uses Lua scripting for easier exploit development) / BD-UN-JB 1.1 (Latest Version) (includes BD-UN-JB_1.1.iso, bdj_unpatch_1320.elf, poops_1.2.jar) / BD-UN-JB (GIT) (BD-JB for already jailbroken PS5) via Gezine
• BD-JB-Poops.iso (16 MB - PS5 Poops Autoloader iSO) via ps3120

This comes proceeding the PS4 NoBD: BD Driveless Updating & No BD Updater Payloads / PS4 NoBD Toolkit, HDD_Script.py to Retrieve Data from Any PS4 Console via SFlash Dump, PS4 CR0.WP Protection Kernel Security Bypass and pOOBs4: PS4 9.00 Jailbreak Exploit via ChendoChap with Updated Payloads previously released.

Here's further details from the included README.txt: PSFree version 1.2.0

PSFree is a WebKit exploit using CVE-2022-22620 to gain arbitrary read/write.

This exploit was initially for the PS4 firmware version 8.03. CelesteBlue has tested and confirmed that the original works on 7.00-8.52 and helped in making the patches for 6.00-6.72, 9.00-9.60, and PS5 1.00-5.50.

CREDITS:

• CelesteBlue from ps4-dev on discord.com for testing and porting to other firmwares
• Quentin Meffre (0xdagger) and Mehdi Talbi (abu_y0ussef) for the 6.xx buildBubbleTree() UaF exploit that served as the framework for this exploit
• Maddie Stone for the CVE writeup

Notes on reimplementing this project and testing on firmwares != 8.03:

• num_reuse and num_str must be changed if the proof-of-concept is failing
• 6.xx firmwares need a setTimeout() after a gc() for garbage collection to work. The duration may also need changing.

These values are at exploit.mjs. This implementation was tested on 8.03.

The values are implementation dependent. Even if you are on the same firmware and you test 2 different implementations, you may need to change the values.

For example, if you reimplement the project with setTimeout() callbacks instead of using Promises, even if you are on 8.03, you may need different values.

Changelog:

1.2.0:

• add support for PS4 6.00-6.20

1.1.0:

• add support for running ROP chains (PS4 8.03)
• add support for calling syscalls (PS4 8.03)

1.0.0 changelog:

• add proof-of-concept code to gain arbitrary read/write (PS4 6.50-9.60/PS5 1.00-5.50)

OLD README:

PSFree is a WebKit exploit using CVE-2022-22620 to gain arbitrary read/write.

This exploit is for the PS4 firmware version 8.03

Porting to other firmware versions:

The only non-portable parts of the exploit (assuming the firmware is vulnerable) are:

1. the size of SerializedScriptValue and the offsets of its fields
2. how to achieve an arbitrary decrement primitive

There also other objects used by this exploit such as StringImpl. They too are also subject to change between different firmware versions but are very stable hence why we did not list them.

Number 2 is used to corrupt the length of the JSArrayBufferView. This exploit manipulated the destructor ~SerializedScriptValue() to achieve the wanted result.

There is possibly a restricted free primitive via repeatedly corrupting any object that gets allocated at a JSArrayBufferView and changing its contents so that is frees another object.

For example you could modify a StringImpl to have its data pointer point to a target address and set its BufferOwnership to BufferOwned and have it destroyed.

The primitive is restricted as you can only fastFree() addresses known by the fastMalloc allocator. This means an address on the fastMalloc heap, regardless of whether it is free or not.

This means you can recreate any previous fastMalloc use-after-free exploit.

Spoiler: Related Tweets

 

[owlthathurts]

Hello, all. I am wondering if there is any point in still hanging onto the 5.05 fw.. I use the Hen 2.1 from my user manual backdoor, but I set this all up long, long ago.

So, my question is this: aside from having a little more access to games that aren't BP yet, are there any reasons to/not to run a different FW?

 

[monchixxx]

Based on my experience, an update to 9.00 is what I would do in order to have much more varied access to the new games that are coming out. 9.00 is very stable and will not give you any problems.

On the other hand, there are no notable differences between 5.05 and 9.00, especially in safety aspects that are not visible to the naked eye.

Both 5.05 and 9.00 are 2 comfortable versions to jailbreak.

 

[Harlemito]

Hey, I’ve actually tinkered around with those PS4 WebKit exploits myself—every new release feels like a fun puzzle! Getting 'PSFree' to run on my own console was a journey, with lots of trial-and-error, especially on newer firmware versions. Sometimes you hit a kernel panic and think you bricked the thing, but most of the time it’s just a reset and you’re good.

The advice from the forum to brute-force and automate the restart using external hardware? I totally tried something similar, and it saved me from having to babysit endless crashes. The devs pushing updates and creating ported versions make everything smoother, so props to them.

If you’re just starting out, be patient and read up before you start—lots of little tricks to make it work, and having backups is a must. It’s exciting to see the community overcome every obstacle Sony throws at us. Thank you again for all the help provided by the members of the forum.

 

[owlthathurts]

So, I tried loading the 9.00 kernel for the first time using the Al Azif exploit, and I am getting a 'UA Match?: Mismatched'.. I'm terrified of screwing something up and can't seem to find anything relevant online. I don't feel super confident in starting from scratch, but want new games! Advice?

The only term that comes to mind is 'User Agreement', in which I have no idea how to begin to resolve..

 

[simp420]

Came here after Lapse jailbreak has been finally released with BD on 12.02 firmware which does not require webkit reliance anymore. Still concerned about the feasibility of it though. Blu ray writers are not so readily available and cost a lot. So it will be a pain to find one.

On the other hand, getting pre-burned files is a viable option but those disc will be probably writable once so in case of an update of the jailbreak, might need to get the disc again. But as compared to getting lua games, this method still looks better. Also its pretty fast and easy to load and does not require tinkering too much with the hardware. Definitely gonna try this lapse BD method on my ps4.

 

[hamishegg]

I have jailbroken 9. stability and support is better than expected. exploit is simple and effective to use, looking forward to a similiar exploit for 12.52 type update. The current lua exploit maybe not as stable and user friendly.

The ongoing support by the developers is fantastic to see and look forward to many new updates over the coming times. Without you wonderful work this type of fun would not be possible.

 

[pmantis]

I'm on BD-JB + Lapse jailbroken ps4 pro 11.02. It's the easiest thing to do, tho the goldhen rest mode support is hit and miss, easily fixed by letting the disc sit in the drive.

Updating to the newest goldhen was also a breeze as they've added BD autokill and auto eject, very handy.

 

[Zoloco]

Finally got myself on the no usb wagon. Question, is the manual plugin fix still necessary? I'm having issues with a couple games.

 

[SMK1982]

What would you guys recommend, when having a PS5 3.00 disc-version and also a PS5 3.0 diskless version... both still on their OFW.

Should I upgrade both to 4.51 or are other more 'modern' but still fully working exploitable FWs out there, which are better these days?

 

[luke187]

@SMK1982 personally I would keep the discless ps5 on 3.0 in hopes of a hypervisor exploit. From what I understand from following the scene it should be the next fw that they figure out how to bypass it and that opens up more opportunities to what you can do with your ps5.

As far as the other ps5 I’m not sure if upgrading it would be worth it or not. It would give you the option to play newer games. From what have seen in the scene the guys who put out the exploits always advise to stay on the lowest fw possible. You can jailbreak one of them now with the web exploit without having to update.

Ultimately the decision is up to you and what you want to do with the ps5. From what I remember 5.50 is the last fw the web exploit works on so anything under that you should be safe.