PSFree WebKit Exploit for PS4, QuickHEN, Lua Lapse PS4 / PS5 Kernel Exploit & Laps3c0re / Y2JB

This weekend PS4 Scene developer @CelesteBlue announced on Twitter news of a PSFree WebKit Exploit for PS4 6.00 to 9.60 crediting Sergei Glazunov and Maddie Stone (Twitter) of Project Zero for discovering the vulnerability, anonymous for writing the PSFree Exploit and himself for testing, porting and improvements alongside a QuickHEN PS4 collection incoming of WebKit exploits for PlayStation 4 System Software versions between 3.15 and 9.60 with Kernel exploits between 3.15 and 9.00 only albeit requiring more work and Laps3c0re which is a port of the Lapse kernel exploit implementation by abc using Mast1c0re by McCaulay as an entry point and Y2JB Userland code execution by Gezine using the PS5 YouTube (USA) app v1.03 PKG crediting Remote_Lua_Loader.

Download: psfree-1.2.0.zip (39.93 KB) / GIT / PSFree Exploit (Live Demo) via @zecoxao on Twitter / psfree-beta2.7z (16.34 KB) via abc for 8.0x / psfree-beta3.7z (24.60 KB) via abc / PSFree Beta 3 Version (Live Demo) via Kameleonre_ / psfree-1.3.0.7z (30.30 KB) via abc / psfree-beta-140.7z (37.05 KB) via abc / PS5 Kernel Exploit 3.xx-4.xx (PSFree Integrated Live Demo) / PS5 Exploit Host via idlesauce / PSFree900-main.zip / PSFree900 GIT / PSFree 9.00 FW (Live Demo) via Kameleonre_ / 9.00 FW PSFree with GoldHEN (Live Demo) via ps3120 / 6.72 FW PSFree with GoldHEN via ps3120 / psfree-beta3-140.7z (37.92 KB) via abc / psfree-beta4-140.7z (37.93 KB) via abc / psfree700-main.zip (36.1 KB) / PSFree 7.02 FW via Kameleonre_ / psfree-150b.7z (171.98 KB) by abc via master_s9 / PS5-UMTX-Jailbreak-psfree-150b.zip / GIT Fork via idlesauce / psfree-1.5rc1.7z (193.33 KB) via abc / Mirror

• PS4/PS5 exploit using CVE-2022-22620
• PS4 versions vulnerable: 6.xx-9.xx (tested 6.50-9.60)
• PS5 versions vulnerable: 1.xx-5.xx (tested 1.00-5.50)
• Lapse kernel exploit (based on aio_multi_delete vulnerability Bug Patched on 12.50 PS4) for PS4 5.00-12.50 / PS5 1.00-10.20
• PSFree: A PS4 / PS5 Exploit Chain (Lapse Exploit Live Demo) via @zecoxao aka notnotzecoxao on X
• PSFree Lapse GIT (Fork) by Al-Azif / psfree-lapse.zip (298 KB - Mirror) via @Al Azif aka _AlAzif on X
• psfree_lapse-main.zip (psfree_lapse Latest Version) via Feyzee61 (aka FevziZengin61 on X) / PSFree Lapse GIT (Fork)
• LUA-Lapse (Fork) via @egycnq (egycnq aka egycnq on X)
• hen-1000-1202.bin (10.00-12.02 HEN, includes hen-1000.bin / hen-1001.bin / hen-1050.bin / hen-1070-1071.bin / hen-1100.bin / hen-1102.bin / hen-1150-1152.bin / hen-1200-1202.bin) via @Al Azif aka _AlAzif on X / PS4 HEN (Scene Collective Github)
• laps3c0re-1.01.zip (Latest Version) of Laps3c0re / laps3c0re GIT (Lapse + Mast1c0re) via iMrDJAi aka Djamel
• Y2JB_backup_1.2.1.zip / Y2JB_download0_1.2.1.zip (Latest Version) of Y2JB / Y2JB GIT / BD-JB-1250 GIT (BD-JB for up to PS4 12.50) via Gezine (Sponsor) aka gezine_dev / Y2JB Remote JS Loader (Latest Version) / Y2JB Remote JS Loader GIT Fork via @master s9 (aka MasterPS0 / master_s9) / ps5_y2jb_autoloader (Latest Version) via itsPLK (Sponsor) / PS5 Y2JB Autoloader GIT Fork (Automated payload loader for exploited PS5 consoles)
• PS5 Netflix-N-Hack (Latest Version) by earthonion (Sponsor) / GIT (Inject custom JavaScript into the Netflix PS5 error screen by intercepting Netflix's requests to localhost)
• HenLoader LP (Lapse (9.00-12.02) + Poops (9.00-12.52) exploit)
• Lapse_1.2_Mod.iso / Poops.iso (Latest Version) / Lapse_1.2_MOD (GIT Fork) via ps3120 on X Post
• Luac0re_2.2.zip / Luac0re 2.2 (GIT) (Luac0re is a mast1c0re variation that uses Lua scripting for easier exploit development) / BD-UN-JB 1.1 (Latest Version) (includes BD-UN-JB_1.1.iso, bdj_unpatch_1320.elf, poops_1.2.jar) / BD-UN-JB (GIT) (BD-JB for already jailbroken PS5) via Gezine
• BD-JB-Poops.iso (16 MB - PS5 Poops Autoloader iSO) via ps3120

This comes proceeding the PS4 NoBD: BD Driveless Updating & No BD Updater Payloads / PS4 NoBD Toolkit, HDD_Script.py to Retrieve Data from Any PS4 Console via SFlash Dump, PS4 CR0.WP Protection Kernel Security Bypass and pOOBs4: PS4 9.00 Jailbreak Exploit via ChendoChap with Updated Payloads previously released.

Here's further details from the included README.txt: PSFree version 1.2.0

PSFree is a WebKit exploit using CVE-2022-22620 to gain arbitrary read/write.

This exploit was initially for the PS4 firmware version 8.03. CelesteBlue has tested and confirmed that the original works on 7.00-8.52 and helped in making the patches for 6.00-6.72, 9.00-9.60, and PS5 1.00-5.50.

CREDITS:

• CelesteBlue from ps4-dev on discord.com for testing and porting to other firmwares
• Quentin Meffre (0xdagger) and Mehdi Talbi (abu_y0ussef) for the 6.xx buildBubbleTree() UaF exploit that served as the framework for this exploit
• Maddie Stone for the CVE writeup

Notes on reimplementing this project and testing on firmwares != 8.03:

• num_reuse and num_str must be changed if the proof-of-concept is failing
• 6.xx firmwares need a setTimeout() after a gc() for garbage collection to work. The duration may also need changing.

These values are at exploit.mjs. This implementation was tested on 8.03.

The values are implementation dependent. Even if you are on the same firmware and you test 2 different implementations, you may need to change the values.

For example, if you reimplement the project with setTimeout() callbacks instead of using Promises, even if you are on 8.03, you may need different values.

Changelog:

1.2.0:

• add support for PS4 6.00-6.20

1.1.0:

• add support for running ROP chains (PS4 8.03)
• add support for calling syscalls (PS4 8.03)

1.0.0 changelog:

• add proof-of-concept code to gain arbitrary read/write (PS4 6.50-9.60/PS5 1.00-5.50)

OLD README:

PSFree is a WebKit exploit using CVE-2022-22620 to gain arbitrary read/write.

This exploit is for the PS4 firmware version 8.03

Porting to other firmware versions:

The only non-portable parts of the exploit (assuming the firmware is vulnerable) are:

1. the size of SerializedScriptValue and the offsets of its fields
2. how to achieve an arbitrary decrement primitive

There also other objects used by this exploit such as StringImpl. They too are also subject to change between different firmware versions but are very stable hence why we did not list them.

Number 2 is used to corrupt the length of the JSArrayBufferView. This exploit manipulated the destructor ~SerializedScriptValue() to achieve the wanted result.

There is possibly a restricted free primitive via repeatedly corrupting any object that gets allocated at a JSArrayBufferView and changing its contents so that is frees another object.

For example you could modify a StringImpl to have its data pointer point to a target address and set its BufferOwnership to BufferOwned and have it destroyed.

The primitive is restricted as you can only fastFree() addresses known by the fastMalloc allocator. This means an address on the fastMalloc heap, regardless of whether it is free or not.

This means you can recreate any previous fastMalloc use-after-free exploit.

Spoiler: Related Tweets

 

[Wheeler81]

Thanks for sharing. I've started using the PSFree Webkit exploit on PS4 Pro 9.03. It works brilliantly and so quick to run. It's been very stable with no issues apart from occasional kernel panic when I shutdown.

I was previously using PPPwn, which (requiring LAN) was not the quickest way to jailbreak. I was initially reluctant to switch to PSFree Webkit as was not sure how stable it would be.

Interested to know if others with similar set-up have same experience with PSFree Webkit?

 

[lxdoll]

I have recently used the latest BD-JB-1250 as published by Gezine, with the Lapse exploit and the AIO fixes, and I have to admit that it was really super easy to use.

It is maybe more complicated to find a Bluray disc writer to use or buy, because these devices are not used much and the prices are not cheap (but luckily there are a few used ones available at a better price).

In comparison to other systems that I've tried in the past, like PPPwn or pOOBs, this is maybe not the shortest, but for sure the easiest to use (as long as you have access to a bluray disc writer or to a premade disc).

 

[Sieffer]

When I purchased a PS4 PRO, I was on 11.0, the PPPwn method was not yet available, everything was new to me, I ended up updating the console to 11.02.

Two years have passed, currently on the same version, but now with the BD-J method Lapse jailbreak exploit, so I dug up a used blu-ray recorder like those that come with Sony Vaio notebooks.

It is a 100% functional method, in version 11.02 I have to restart the console a few times so that the payload can be recognized. I don't know if it is because of the version but that is not something that bothers me, happy to have finally gotten a full unlocked PS4

 

[wagaca90]

My PS4 is version 11.52. I have tried the BD-JB Lapse 1.2. It was successful at first try and I am impressed it worked right away with no issue.

Now I suddenly become excited again with my PS4, although it has already been a couple of years since I bought it.

I look forward for an untethered jailbreak. I am a bit nervous that my Blu ray BD-JB might not be so durable. Nevertheless I give my big thanks!

 

[SMK1982]

Thanks a lot for supporting, what my original plan was, with your opinion.

But will not go up further then 4.51 to get the most out of it.

 

[Breeze2011]

Hey! Ever since I first gripped a PS1 controller as a kid I knew gaming would stick with me. I've followed the hacker scene since the PS3. Damn time flies. It's awesome to see so many new devs pitching in and keeping the PlayStation community alive.

After a long break I'm back and catching up on whats changed like: newer systems, homebrew, all that. I'm running firmware 8.00 on a PS5 Spider-Man Limited Edition and still figuring out the best way to run things. Luckily there are a bunch of friendly people around to help.

From what I've read, Lua-based exploits dont work past 10.1. Is that right and if so why?

 

[beatznbreakz]

I just caught up with the recent state of the jailbreaking scene, and to say im very impressed with the speed of which its all happening is an understatement.

The last console is chipped was my xbox360, the soldering for that chip was very difficult! But i did it along with the FW hack for the dvd drive. Also had a jailbroken PS3 which was much easier!

Had a PS4 sat in a cupboard so was well chuffed when i found it was sat on FW 10.01! Cant believe how easy these jailbreaks are now without soldering chips!

Golden hen seems very stable on the ps4 currently, but i have noticed the PS5 exploit can be quite unstable, but i spose it is early (ish) days.

 

[Tre]

Great README - clear versioning and changelog. I noticed num_reuse/num_str and Promise vs setTimeout differences are critical for porting - add a short diagnostics section (what log symptoms indicate wrong values). Also suggest a simple issue template (FW, implementation, log snippets) to speed up support.

 

[felipefeklp]

That's great news! Kernel exploit soon...

 

[0hh1]

PSFree feels way smoother and more flexible. It’s WebKit‑based, runs on more firmwares, the only downside was stability and causes games to only display a blackscreen. Some people also report it corrupted save games.

After using for a while I switched back to pOOBs4 on 9.00. The downside was it only worked on that one firmware and you had to mess around with the USB race condition, which made it kind of clunky and crash‑prone. But I use ESP32 to host an exploit and usb functionality needed for the jailbreaks to works.

By the way, there's updated version of psfree-lapse linked in the OP maintained by Al-Azif that trying to mitigate Blackscreen/Save issue with certain games Issue by post-exploit patches.