PSFree WebKit Exploit for PS4, QuickHEN, Lua Lapse PS4 / PS5 Kernel Exploit & Laps3c0re / Y2JB

This weekend PS4 Scene developer @CelesteBlue announced on Twitter news of a PSFree WebKit Exploit for PS4 6.00 to 9.60 crediting Sergei Glazunov and Maddie Stone (Twitter) of Project Zero for discovering the vulnerability, anonymous for writing the PSFree Exploit and himself for testing, porting and improvements alongside a QuickHEN PS4 collection incoming of WebKit exploits for PlayStation 4 System Software versions between 3.15 and 9.60 with Kernel exploits between 3.15 and 9.00 only albeit requiring more work and Laps3c0re which is a port of the Lapse kernel exploit implementation by abc using Mast1c0re by McCaulay as an entry point and Y2JB Userland code execution by Gezine using the PS5 YouTube (USA) app v1.03 PKG crediting Remote_Lua_Loader.

Download: psfree-1.2.0.zip (39.93 KB) / GIT / PSFree Exploit (Live Demo) via @zecoxao on Twitter / psfree-beta2.7z (16.34 KB) via abc for 8.0x / psfree-beta3.7z (24.60 KB) via abc / PSFree Beta 3 Version (Live Demo) via Kameleonre_ / psfree-1.3.0.7z (30.30 KB) via abc / psfree-beta-140.7z (37.05 KB) via abc / PS5 Kernel Exploit 3.xx-4.xx (PSFree Integrated Live Demo) / PS5 Exploit Host via idlesauce / PSFree900-main.zip / PSFree900 GIT / PSFree 9.00 FW (Live Demo) via Kameleonre_ / 9.00 FW PSFree with GoldHEN (Live Demo) via ps3120 / 6.72 FW PSFree with GoldHEN via ps3120 / psfree-beta3-140.7z (37.92 KB) via abc / psfree-beta4-140.7z (37.93 KB) via abc / psfree700-main.zip (36.1 KB) / PSFree 7.02 FW via Kameleonre_ / psfree-150b.7z (171.98 KB) by abc via master_s9 / PS5-UMTX-Jailbreak-psfree-150b.zip / GIT Fork via idlesauce / psfree-1.5rc1.7z (193.33 KB) via abc / Mirror

• PS4/PS5 exploit using CVE-2022-22620
• PS4 versions vulnerable: 6.xx-9.xx (tested 6.50-9.60)
• PS5 versions vulnerable: 1.xx-5.xx (tested 1.00-5.50)
• Lapse kernel exploit (based on aio_multi_delete vulnerability Bug Patched on 12.50 PS4) for PS4 5.00-12.50 / PS5 1.00-10.20
• PSFree: A PS4 / PS5 Exploit Chain (Lapse Exploit Live Demo) via @zecoxao aka notnotzecoxao on X
• PSFree Lapse GIT (Fork) by Al-Azif / psfree-lapse.zip (298 KB - Mirror) via @Al Azif aka _AlAzif on X
• psfree_lapse-main.zip (psfree_lapse Latest Version) via Feyzee61 (aka FevziZengin61 on X) / PSFree Lapse GIT (Fork)
• LUA-Lapse (Fork) via @egycnq (egycnq aka egycnq on X)
• hen-1000-1202.bin (10.00-12.02 HEN, includes hen-1000.bin / hen-1001.bin / hen-1050.bin / hen-1070-1071.bin / hen-1100.bin / hen-1102.bin / hen-1150-1152.bin / hen-1200-1202.bin) via @Al Azif aka _AlAzif on X / PS4 HEN (Scene Collective Github)
• laps3c0re-1.01.zip (Latest Version) of Laps3c0re / laps3c0re GIT (Lapse + Mast1c0re) via iMrDJAi aka Djamel
• Y2JB_backup_1.2.1.zip / Y2JB_download0_1.2.1.zip (Latest Version) of Y2JB / Y2JB GIT / BD-JB-1250 GIT (BD-JB for up to PS4 12.50) via Gezine (Sponsor) aka gezine_dev / Y2JB Remote JS Loader (Latest Version) / Y2JB Remote JS Loader GIT Fork via @master s9 (aka MasterPS0 / master_s9) / ps5_y2jb_autoloader (Latest Version) via itsPLK (Sponsor) / PS5 Y2JB Autoloader GIT Fork (Automated payload loader for exploited PS5 consoles)
• PS5 Netflix-N-Hack (Latest Version) by earthonion (Sponsor) / GIT (Inject custom JavaScript into the Netflix PS5 error screen by intercepting Netflix's requests to localhost)
• HenLoader LP (Lapse (9.00-12.02) + Poops (9.00-12.52) exploit)
• Lapse_1.2_Mod.iso / Poops.iso (Latest Version) / Lapse_1.2_MOD (GIT Fork) via ps3120 on X Post
• Luac0re_2.2.zip / Luac0re 2.2 (GIT) (Luac0re is a mast1c0re variation that uses Lua scripting for easier exploit development) / BD-UN-JB 1.1 (Latest Version) (includes BD-UN-JB_1.1.iso, bdj_unpatch_1320.elf, poops_1.2.jar) / BD-UN-JB (GIT) (BD-JB for already jailbroken PS5) via Gezine
• BD-JB-Poops.iso (16 MB - PS5 Poops Autoloader iSO) via ps3120

This comes proceeding the PS4 NoBD: BD Driveless Updating & No BD Updater Payloads / PS4 NoBD Toolkit, HDD_Script.py to Retrieve Data from Any PS4 Console via SFlash Dump, PS4 CR0.WP Protection Kernel Security Bypass and pOOBs4: PS4 9.00 Jailbreak Exploit via ChendoChap with Updated Payloads previously released.

Here's further details from the included README.txt: PSFree version 1.2.0

PSFree is a WebKit exploit using CVE-2022-22620 to gain arbitrary read/write.

This exploit was initially for the PS4 firmware version 8.03. CelesteBlue has tested and confirmed that the original works on 7.00-8.52 and helped in making the patches for 6.00-6.72, 9.00-9.60, and PS5 1.00-5.50.

CREDITS:

• CelesteBlue from ps4-dev on discord.com for testing and porting to other firmwares
• Quentin Meffre (0xdagger) and Mehdi Talbi (abu_y0ussef) for the 6.xx buildBubbleTree() UaF exploit that served as the framework for this exploit
• Maddie Stone for the CVE writeup

Notes on reimplementing this project and testing on firmwares != 8.03:

• num_reuse and num_str must be changed if the proof-of-concept is failing
• 6.xx firmwares need a setTimeout() after a gc() for garbage collection to work. The duration may also need changing.

These values are at exploit.mjs. This implementation was tested on 8.03.

The values are implementation dependent. Even if you are on the same firmware and you test 2 different implementations, you may need to change the values.

For example, if you reimplement the project with setTimeout() callbacks instead of using Promises, even if you are on 8.03, you may need different values.

Changelog:

1.2.0:

• add support for PS4 6.00-6.20

1.1.0:

• add support for running ROP chains (PS4 8.03)
• add support for calling syscalls (PS4 8.03)

1.0.0 changelog:

• add proof-of-concept code to gain arbitrary read/write (PS4 6.50-9.60/PS5 1.00-5.50)

OLD README:

PSFree is a WebKit exploit using CVE-2022-22620 to gain arbitrary read/write.

This exploit is for the PS4 firmware version 8.03

Porting to other firmware versions:

The only non-portable parts of the exploit (assuming the firmware is vulnerable) are:

1. the size of SerializedScriptValue and the offsets of its fields
2. how to achieve an arbitrary decrement primitive

There also other objects used by this exploit such as StringImpl. They too are also subject to change between different firmware versions but are very stable hence why we did not list them.

Number 2 is used to corrupt the length of the JSArrayBufferView. This exploit manipulated the destructor ~SerializedScriptValue() to achieve the wanted result.

There is possibly a restricted free primitive via repeatedly corrupting any object that gets allocated at a JSArrayBufferView and changing its contents so that is frees another object.

For example you could modify a StringImpl to have its data pointer point to a target address and set its BufferOwnership to BufferOwned and have it destroyed.

The primitive is restricted as you can only fastFree() addresses known by the fastMalloc allocator. This means an address on the fastMalloc heap, regardless of whether it is free or not.

This means you can recreate any previous fastMalloc use-after-free exploit.

Spoiler: Related Tweets

 

[grpw]

For me Y2JB 1.2.1 for few last days is working without any crash. I don't see any reasons to move to LUA, Y2JB is quite new but it's already reliable and fast.

For now, updating to fw 9 will cause you to lose your cheats and linux options. It is better to wait until more games are ported to older versions of the software. Do not update above version 9.60, as there is no kstuff for fw 10, so the exploit will not work.

 

[CrimsonSanity]

Ok so I just stupidly updated to ps5 9.00 from 7.40 and now the y2jb doesn't run correctly unless I reboot 2 times in a row. Anyone else experiencing this?

Do the games load and freeze or are they giving an error ? I heard turning off kstuff helps after starting game. Go into debug options and set a short cut for kstuff.

@grpw hope this helps.

 

[Dzin25]

Hi guys, the PS5 hacking scene is progressing rapidly, and with higher firmware versions now capable of launching backups, things are becoming very interesting.

I'm currently on firmware 5.5 and wondering if I should update to 9.XX to increase compatibility with game backups.

The Y2TB exploit appears to be working well and is fairly simple to use.

What are your thoughts, those of you who have taken the plunge?

As a non-native English speaker, please excuse any language errors.

Have fun !!!!!

 

[distrosistro]

I recently jailbroke a PS4 I had in the attic for a year or two since moving house, genuinely can't understand how I haven't done this earlier.

I also just bought a PS5 30th Anniversary edition in the black friday sales, fingers crossed the fw version is jailbreakable! Although I've seen a few people saying they bought the Anniversary edition one recently and the fw version was too high to JB so not going to get my hopes up.

A JB PS4 is still plenty of fun for now!

 

[ludol]

Hello Dzin25, For me it is 7.40 with unusable disk drive (can't wait for an offline pairing tool) and the YTJB is working like a charm (just wait 10-20 sec before running it).

All games and fPKGs are running good. Will wait before going for 9.60 as the support is not full for the moment, only 9.01. I also installed the Netflix JB in case the YTJB goes wrong or cannot be run; as a second chance.

Thanks to the scene for their amazing job !

 

[gamesNtech]

November and December might as well be the best two months for my jailbraking experience. I'm also blown by how much time it took to dump GOW Ragnarok natively on the ps5, FC26, Until Dawn, and much more that were on my waitlist...

In addition to being able to jailbreak my slim ps5 running 9.60 using the ytjb exploit after debating on which i should get of those japanese games (they are soo expensive to buy and ship to where i live). Really can't wait to see what's coming next! Thanks a LOT.

 

[mitchd2100]

I just bought a digital version PS5 and im hoping it can be jailbroken. Since I cant use the BD-JB option what is the current firmware for Y2JB? Or is there a better method? Any help would be great.

 

[Jack Ricks]

is it better to have a jailbroken ps4 or ps5? i just jailbroke one of my old ps4s, but i was thinking of buying an old firmware ps5 to jailbreak for all the new games coming out. What yous reckon?

 

[ducksonquack]

Hey Jack. It depends what you're wanting to achieve. With the PS4's, more firmwares are supported, tons of homebrew, emulators, cheats, patches and a ton of backups/DLCs to choose from.

PS5's are still in the early days: Full JB up to 9.60 firmwares (Soon to be 10.0x as Kstuff almost complete), limited PS5 game backups (fpkg not available at present) and a smaller homebrew library.... however, it can run a lot of PS4 stuff via backward compatibility.

In the long run PS5 is the future and with the speed things are moving would be a good investment but ultimately it depends if you want to wait and what you're wanting to get out of your console.

 

[vickysam36]

I am really new to the PS4 JB scene but the ease with which I was able to JB my PS4 shows how much progress has been made !! Truly impressive and hats off