PSFree WebKit Exploit for PS4, QuickHEN, Lua Lapse PS4 / PS5 Kernel Exploit & Laps3c0re / Y2JB

This weekend PS4 Scene developer @CelesteBlue announced on Twitter news of a PSFree WebKit Exploit for PS4 6.00 to 9.60 crediting Sergei Glazunov and Maddie Stone (Twitter) of Project Zero for discovering the vulnerability, anonymous for writing the PSFree Exploit and himself for testing, porting and improvements alongside a QuickHEN PS4 collection incoming of WebKit exploits for PlayStation 4 System Software versions between 3.15 and 9.60 with Kernel exploits between 3.15 and 9.00 only albeit requiring more work and Laps3c0re which is a port of the Lapse kernel exploit implementation by abc using Mast1c0re by McCaulay as an entry point and Y2JB Userland code execution by Gezine using the PS5 YouTube (USA) app v1.03 PKG crediting Remote_Lua_Loader.

Download: psfree-1.2.0.zip (39.93 KB) / GIT / PSFree Exploit (Live Demo) via @zecoxao on Twitter / psfree-beta2.7z (16.34 KB) via abc for 8.0x / psfree-beta3.7z (24.60 KB) via abc / PSFree Beta 3 Version (Live Demo) via Kameleonre_ / psfree-1.3.0.7z (30.30 KB) via abc / psfree-beta-140.7z (37.05 KB) via abc / PS5 Kernel Exploit 3.xx-4.xx (PSFree Integrated Live Demo) / PS5 Exploit Host via idlesauce / PSFree900-main.zip / PSFree900 GIT / PSFree 9.00 FW (Live Demo) via Kameleonre_ / 9.00 FW PSFree with GoldHEN (Live Demo) via ps3120 / 6.72 FW PSFree with GoldHEN via ps3120 / psfree-beta3-140.7z (37.92 KB) via abc / psfree-beta4-140.7z (37.93 KB) via abc / psfree700-main.zip (36.1 KB) / PSFree 7.02 FW via Kameleonre_ / psfree-150b.7z (171.98 KB) by abc via master_s9 / PS5-UMTX-Jailbreak-psfree-150b.zip / GIT Fork via idlesauce / psfree-1.5rc1.7z (193.33 KB) via abc / Mirror

• PS4/PS5 exploit using CVE-2022-22620
• PS4 versions vulnerable: 6.xx-9.xx (tested 6.50-9.60)
• PS5 versions vulnerable: 1.xx-5.xx (tested 1.00-5.50)
• Lapse kernel exploit (based on aio_multi_delete vulnerability Bug Patched on 12.50 PS4) for PS4 5.00-12.50 / PS5 1.00-10.20
• PSFree: A PS4 / PS5 Exploit Chain (Lapse Exploit Live Demo) via @zecoxao aka notnotzecoxao on X
• PSFree Lapse GIT (Fork) by Al-Azif / psfree-lapse.zip (298 KB - Mirror) via @Al Azif aka _AlAzif on X
• psfree_lapse-main.zip (psfree_lapse Latest Version) via Feyzee61 (aka FevziZengin61 on X) / PSFree Lapse GIT (Fork)
• LUA-Lapse (Fork) via @egycnq (egycnq aka egycnq on X)
• hen-1000-1202.bin (10.00-12.02 HEN, includes hen-1000.bin / hen-1001.bin / hen-1050.bin / hen-1070-1071.bin / hen-1100.bin / hen-1102.bin / hen-1150-1152.bin / hen-1200-1202.bin) via @Al Azif aka _AlAzif on X / PS4 HEN (Scene Collective Github)
• laps3c0re-1.01.zip (Latest Version) of Laps3c0re / laps3c0re GIT (Lapse + Mast1c0re) via iMrDJAi aka Djamel
• Y2JB_backup_1.2.1.zip / Y2JB_download0_1.2.1.zip (Latest Version) of Y2JB / Y2JB GIT / BD-JB-1250 GIT (BD-JB for up to PS4 12.50) via Gezine (Sponsor) aka gezine_dev / Y2JB Remote JS Loader (Latest Version) / Y2JB Remote JS Loader GIT Fork via @master s9 (aka MasterPS0 / master_s9) / ps5_y2jb_autoloader (Latest Version) via itsPLK (Sponsor) / PS5 Y2JB Autoloader GIT Fork (Automated payload loader for exploited PS5 consoles)
• PS5 Netflix-N-Hack (Latest Version) by earthonion (Sponsor) / GIT (Inject custom JavaScript into the Netflix PS5 error screen by intercepting Netflix's requests to localhost)
• HenLoader LP (Lapse (9.00-12.02) + Poops (9.00-12.52) exploit)
• Lapse_1.2_Mod.iso / Poops.iso (Latest Version) / Lapse_1.2_MOD (GIT Fork) via ps3120 on X Post
• Luac0re_2.2.zip / Luac0re 2.2 (GIT) (Luac0re is a mast1c0re variation that uses Lua scripting for easier exploit development) / BD-UN-JB 1.1 (Latest Version) (includes BD-UN-JB_1.1.iso, bdj_unpatch_1320.elf, poops_1.2.jar) / BD-UN-JB (GIT) (BD-JB for already jailbroken PS5) via Gezine
• BD-JB-Poops.iso (16 MB - PS5 Poops Autoloader iSO) via ps3120

This comes proceeding the PS4 NoBD: BD Driveless Updating & No BD Updater Payloads / PS4 NoBD Toolkit, HDD_Script.py to Retrieve Data from Any PS4 Console via SFlash Dump, PS4 CR0.WP Protection Kernel Security Bypass and pOOBs4: PS4 9.00 Jailbreak Exploit via ChendoChap with Updated Payloads previously released.

Here's further details from the included README.txt: PSFree version 1.2.0

PSFree is a WebKit exploit using CVE-2022-22620 to gain arbitrary read/write.

This exploit was initially for the PS4 firmware version 8.03. CelesteBlue has tested and confirmed that the original works on 7.00-8.52 and helped in making the patches for 6.00-6.72, 9.00-9.60, and PS5 1.00-5.50.

CREDITS:

• CelesteBlue from ps4-dev on discord.com for testing and porting to other firmwares
• Quentin Meffre (0xdagger) and Mehdi Talbi (abu_y0ussef) for the 6.xx buildBubbleTree() UaF exploit that served as the framework for this exploit
• Maddie Stone for the CVE writeup

Notes on reimplementing this project and testing on firmwares != 8.03:

• num_reuse and num_str must be changed if the proof-of-concept is failing
• 6.xx firmwares need a setTimeout() after a gc() for garbage collection to work. The duration may also need changing.

These values are at exploit.mjs. This implementation was tested on 8.03.

The values are implementation dependent. Even if you are on the same firmware and you test 2 different implementations, you may need to change the values.

For example, if you reimplement the project with setTimeout() callbacks instead of using Promises, even if you are on 8.03, you may need different values.

Changelog:

1.2.0:

• add support for PS4 6.00-6.20

1.1.0:

• add support for running ROP chains (PS4 8.03)
• add support for calling syscalls (PS4 8.03)

1.0.0 changelog:

• add proof-of-concept code to gain arbitrary read/write (PS4 6.50-9.60/PS5 1.00-5.50)

OLD README:

PSFree is a WebKit exploit using CVE-2022-22620 to gain arbitrary read/write.

This exploit is for the PS4 firmware version 8.03

Porting to other firmware versions:

The only non-portable parts of the exploit (assuming the firmware is vulnerable) are:

1. the size of SerializedScriptValue and the offsets of its fields
2. how to achieve an arbitrary decrement primitive

There also other objects used by this exploit such as StringImpl. They too are also subject to change between different firmware versions but are very stable hence why we did not list them.

Number 2 is used to corrupt the length of the JSArrayBufferView. This exploit manipulated the destructor ~SerializedScriptValue() to achieve the wanted result.

There is possibly a restricted free primitive via repeatedly corrupting any object that gets allocated at a JSArrayBufferView and changing its contents so that is frees another object.

For example you could modify a StringImpl to have its data pointer point to a target address and set its BufferOwnership to BufferOwned and have it destroyed.

The primitive is restricted as you can only fastFree() addresses known by the fastMalloc allocator. This means an address on the fastMalloc heap, regardless of whether it is free or not.

This means you can recreate any previous fastMalloc use-after-free exploit.

Spoiler: Related Tweets

 

[ofgiw3]

Man i've been out the scene for some years. Completely missed out on this as no one told me

Actually that's nice. If it's not more complicated than a USB with a EXFAT subpartition that eliminates the 'Couldnt access USB Device' message i'll think about using it.

Do i have to do anything special first as pre-requisite on a 9.00 PS4 or no?

 

[sirki11a1ot]

I've been catching up on all of the Resident Evil games for PS5, thanks to this team and others, this is possible. I'm about to start Silent Hill 2 remake and I was hoping to maybe get Silent Hill F soon!

I forgot to mention... Other game I've been waiting for quite a while is the new ratchet and clank game.

Also as a random note, the the Y2JB hack works so good. Something that is useful to others, is that if you setup the autoloader of Y2JB on a older firmware and upgrade, the jailbreak setup doesn't get removed! I just did this like 5 minutes ago upgrading from 5.10, to 6.50.

 

[r9h8n]

I’ve been following PS4 exploits for a while, and this is one of the clearer explanations I’ve seen of how the WebKit entry point ties into a full exploit chain. Seeing PSFree used as the browser entry and then combined with Lapse/Laps3c0re makes it easier to understand how things move from userland into kernel access.

What I like most is that this approach doesn’t feel locked to just one setup. The way it can lead into payloads like QuickHEN or other loaders makes it feel more flexible than some of the older methods, especially for people still learning how everything fits together.

I haven’t tested it myself yet, but reading through the details here definitely helps connect the dots between WebKit exploits and actually running homebrew. Interested to see how reliable it is across different firmware versions.

 

[chenjc]

I recently updated from 5.05 to 9.00 and had no problems running the web exploit to Jailbreak.

However, all of my games that I installed on 5.05 have all been corrupted with the error message: Cannot start the application (CE-32930-7).

I have no problems installing new pkg's. But all the old ones seem un-recoverable. Any suggestions or ideas? Thanks!

 

[Dodgers]

I have just got a PS5 slim 30th anniversary edition and have jailbroken it using Y2JB, I very much look foward to testing its capabilities, I hope using this forum I can gain more knowledge on the subject. I also wish to contribute when I learn more.

 

[Nephtys]

I have finally managed to get myself a PS5 with a low firmware version (5.50), it was a brand new sealed PS5 GoW Ragnarok bundle! I couldn't believe how easy it was to jailbreak using Y2JB.

The last console I jailbreaked was an OG Xbox 360, back then you had to have a special sata card with a very specific chipset to be able to flash the hacked DVD drive firmware. I am glad that no hardware was required for the PS5 JB!

Anyway, I am getting back into console modding with the PS5 and I still have so much to learn. For example, should I update my 5.50 PS5 to a higher firmare to be able to play more games? Not sure if it's worth the risk of missing out on future development on older firmware stuff.

 

[chauha]

Man, I've been messing with PS4 jailbreak for a couple years now, and it's honestly a game-changer if you're into retro gaming or just want to squeeze more out of your old console. Started with firmware 9.00 because that's got the most stable exploits out there - no bricks yet, knock on wood. You gotta be careful though, like backing up your saves and using a USB stick formatted right.

I remember the first time I got Hen running; it felt like unlocking a secret level in a game. Loaded up some homebrew apps, emulators for SNES and PS2 stuff, and even custom themes that make the dashboard look way cooler than stock.

But yeah, online play is a no-go unless you spoof your console ID or something, which I don't mess with 'cause bans suck. Overall, if you're tech-savvy and don't mind voiding warranty, it's worth it for the freedom.

 

[lovegame2162]

It's always nice to see the ps4 community still working on new xploits for ps4. Since I'm in 12.52, I have to use a bluray every time I want to play, so maybe one day, we can get another method. For now, I'll keep an eye out for new updates; It's always interesting to see how they release new xploits.

 

[erinarenauk]

Wow, everytime I go quiet and come back to the modding scene, things have moved on at a great pace! Not only are all my family PS4s able to be jailbroken but my PS5 has been unused for rather a long time and my 9.20 is now in a good place.

Can I ask if there is any point upgrading from 9.20 to 10.01? I'm just thinking about backports etc. as 10.01 would likely have more compatible games at this point? Thanks in advance...

 

[KalBlair1]

I hope that a jailbreak for 11.60 comes that doesn't require Star Wars Racers Revenge soon as the prices have went nuts lol