PSFree WebKit Exploit for PS4, QuickHEN, Lua Lapse PS4 / PS5 Kernel Exploit & Laps3c0re / Y2JB

This weekend PS4 Scene developer @CelesteBlue announced on Twitter news of a PSFree WebKit Exploit for PS4 6.00 to 9.60 crediting Sergei Glazunov and Maddie Stone (Twitter) of Project Zero for discovering the vulnerability, anonymous for writing the PSFree Exploit and himself for testing, porting and improvements alongside a QuickHEN PS4 collection incoming of WebKit exploits for PlayStation 4 System Software versions between 3.15 and 9.60 with Kernel exploits between 3.15 and 9.00 only albeit requiring more work and Laps3c0re which is a port of the Lapse kernel exploit implementation by abc using Mast1c0re by McCaulay as an entry point and Y2JB Userland code execution by Gezine using the PS5 YouTube (USA) app v1.03 PKG crediting Remote_Lua_Loader.

Download: psfree-1.2.0.zip (39.93 KB) / GIT / PSFree Exploit (Live Demo) via @zecoxao on Twitter / psfree-beta2.7z (16.34 KB) via abc for 8.0x / psfree-beta3.7z (24.60 KB) via abc / PSFree Beta 3 Version (Live Demo) via Kameleonre_ / psfree-1.3.0.7z (30.30 KB) via abc / psfree-beta-140.7z (37.05 KB) via abc / PS5 Kernel Exploit 3.xx-4.xx (PSFree Integrated Live Demo) / PS5 Exploit Host via idlesauce / PSFree900-main.zip / PSFree900 GIT / PSFree 9.00 FW (Live Demo) via Kameleonre_ / 9.00 FW PSFree with GoldHEN (Live Demo) via ps3120 / 6.72 FW PSFree with GoldHEN via ps3120 / psfree-beta3-140.7z (37.92 KB) via abc / psfree-beta4-140.7z (37.93 KB) via abc / psfree700-main.zip (36.1 KB) / PSFree 7.02 FW via Kameleonre_ / psfree-150b.7z (171.98 KB) by abc via master_s9 / PS5-UMTX-Jailbreak-psfree-150b.zip / GIT Fork via idlesauce / psfree-1.5rc1.7z (193.33 KB) via abc / Mirror

• PS4/PS5 exploit using CVE-2022-22620
• PS4 versions vulnerable: 6.xx-9.xx (tested 6.50-9.60)
• PS5 versions vulnerable: 1.xx-5.xx (tested 1.00-5.50)
• Lapse kernel exploit (based on aio_multi_delete vulnerability Bug Patched on 12.50 PS4) for PS4 5.00-12.50 / PS5 1.00-10.20
• PSFree: A PS4 / PS5 Exploit Chain (Lapse Exploit Live Demo) via @zecoxao aka notnotzecoxao on X
• PSFree Lapse GIT (Fork) by Al-Azif / psfree-lapse.zip (298 KB - Mirror) via @Al Azif aka _AlAzif on X
• psfree_lapse-main.zip (psfree_lapse Latest Version) via Feyzee61 (aka FevziZengin61 on X) / PSFree Lapse GIT (Fork)
• LUA-Lapse (Fork) via @egycnq (egycnq aka egycnq on X)
• hen-1000-1202.bin (10.00-12.02 HEN, includes hen-1000.bin / hen-1001.bin / hen-1050.bin / hen-1070-1071.bin / hen-1100.bin / hen-1102.bin / hen-1150-1152.bin / hen-1200-1202.bin) via @Al Azif aka _AlAzif on X / PS4 HEN (Scene Collective Github)
• laps3c0re-1.01.zip (Latest Version) of Laps3c0re / laps3c0re GIT (Lapse + Mast1c0re) via iMrDJAi aka Djamel
• Y2JB_backup_1.2.1.zip / Y2JB_download0_1.2.1.zip (Latest Version) of Y2JB / Y2JB GIT / BD-JB-1250 GIT (BD-JB for up to PS4 12.50) via Gezine (Sponsor) aka gezine_dev / Y2JB Remote JS Loader (Latest Version) / Y2JB Remote JS Loader GIT Fork via @master s9 (aka MasterPS0 / master_s9) / ps5_y2jb_autoloader (Latest Version) via itsPLK (Sponsor) / PS5 Y2JB Autoloader GIT Fork (Automated payload loader for exploited PS5 consoles)
• PS5 Netflix-N-Hack (Latest Version) by earthonion (Sponsor) / GIT (Inject custom JavaScript into the Netflix PS5 error screen by intercepting Netflix's requests to localhost)
• HenLoader LP (Lapse (9.00-12.02) + Poops (9.00-12.52) exploit)
• Lapse_1.2_Mod.iso / Poops.iso (Latest Version) / Lapse_1.2_MOD (GIT Fork) via ps3120 on X Post
• Luac0re_2.2.zip / Luac0re 2.2 (GIT) (Luac0re is a mast1c0re variation that uses Lua scripting for easier exploit development) / BD-UN-JB 1.1 (Latest Version) (includes BD-UN-JB_1.1.iso, bdj_unpatch_1320.elf, poops_1.2.jar) / BD-UN-JB (GIT) (BD-JB for already jailbroken PS5) via Gezine
• BD-JB-Poops.iso (16 MB - PS5 Poops Autoloader iSO) via ps3120

This comes proceeding the PS4 NoBD: BD Driveless Updating & No BD Updater Payloads / PS4 NoBD Toolkit, HDD_Script.py to Retrieve Data from Any PS4 Console via SFlash Dump, PS4 CR0.WP Protection Kernel Security Bypass and pOOBs4: PS4 9.00 Jailbreak Exploit via ChendoChap with Updated Payloads previously released.

Here's further details from the included README.txt: PSFree version 1.2.0

PSFree is a WebKit exploit using CVE-2022-22620 to gain arbitrary read/write.

This exploit was initially for the PS4 firmware version 8.03. CelesteBlue has tested and confirmed that the original works on 7.00-8.52 and helped in making the patches for 6.00-6.72, 9.00-9.60, and PS5 1.00-5.50.

CREDITS:

• CelesteBlue from ps4-dev on discord.com for testing and porting to other firmwares
• Quentin Meffre (0xdagger) and Mehdi Talbi (abu_y0ussef) for the 6.xx buildBubbleTree() UaF exploit that served as the framework for this exploit
• Maddie Stone for the CVE writeup

Notes on reimplementing this project and testing on firmwares != 8.03:

• num_reuse and num_str must be changed if the proof-of-concept is failing
• 6.xx firmwares need a setTimeout() after a gc() for garbage collection to work. The duration may also need changing.

These values are at exploit.mjs. This implementation was tested on 8.03.

The values are implementation dependent. Even if you are on the same firmware and you test 2 different implementations, you may need to change the values.

For example, if you reimplement the project with setTimeout() callbacks instead of using Promises, even if you are on 8.03, you may need different values.

Changelog:

1.2.0:

• add support for PS4 6.00-6.20

1.1.0:

• add support for running ROP chains (PS4 8.03)
• add support for calling syscalls (PS4 8.03)

1.0.0 changelog:

• add proof-of-concept code to gain arbitrary read/write (PS4 6.50-9.60/PS5 1.00-5.50)

OLD README:

PSFree is a WebKit exploit using CVE-2022-22620 to gain arbitrary read/write.

This exploit is for the PS4 firmware version 8.03

Porting to other firmware versions:

The only non-portable parts of the exploit (assuming the firmware is vulnerable) are:

1. the size of SerializedScriptValue and the offsets of its fields
2. how to achieve an arbitrary decrement primitive

There also other objects used by this exploit such as StringImpl. They too are also subject to change between different firmware versions but are very stable hence why we did not list them.

Number 2 is used to corrupt the length of the JSArrayBufferView. This exploit manipulated the destructor ~SerializedScriptValue() to achieve the wanted result.

There is possibly a restricted free primitive via repeatedly corrupting any object that gets allocated at a JSArrayBufferView and changing its contents so that is frees another object.

For example you could modify a StringImpl to have its data pointer point to a target address and set its BufferOwnership to BufferOwned and have it destroyed.

The primitive is restricted as you can only fastFree() addresses known by the fastMalloc allocator. This means an address on the fastMalloc heap, regardless of whether it is free or not.

This means you can recreate any previous fastMalloc use-after-free exploit.

Spoiler: Related Tweets

 

[twistedeye]

Probably soon enough, there's so much scuttlebutt about developments coming these days that I'm sure it's on the way. Finally got a PS5 in the house and it's just barely out of firmware range, so I'm keeping my eyes out too.

What it did do though is bring my attention to PS4 hacking, I'd forgotten all about it. This PSFree business was incredibly easy, thanks so much again to everyone that was part of it.

Does anyone have an estimate of how much hard drive space is needed for all of the playable PS4 games released? Cause man, I'm going to have to add at least one more drive to my box now, lmao.

 

[Floroiu]

Hi guys, I have been out of the loop for a while, I have a second 2.xx PS5 with disc drive, what is the best way to jailbreak it ? what FW would be able to run the latest PS5 backups?
Thanks

 

[kebokan]

@Floroiu A 2.xx PS5 is really valueable, i would sell it if possible and buy one on higher FW, a shame to upgrade it. I would recommend the Y2JB autoloader, its super stable for me on 4.50. You could also use webkit exploit, but its not so stable.

Latest backups can be played with FW 10.01. I would suggest to take a look at the games and what FW is required, then you can decide what FW to upgrade to. I am happy with Cyberpunk and Returnal, still waiting for major titles, that worth upgrade.

 

[dsp007]

Would just like to share a small tip for those looking for a lower firmware PS5 and do not mind spending the little extra sourcing one. Looking for 'sealed box' older model usually commands scalper prices.

However there seems to be plenty of 'collector' 30th anniversary PS5s new in box trying to sell slightly above RRP as prices are dropping. These generally come with firmware 9.40 and 9.60 which are easily jailbreakable using Y2JB Autoloader. The slim version is CFI-2002B with serial S01-F448xxx.

 

[newkritos1]

I'm currently on firmware 6.72. From your experience, would you recommend updating to FW 9.xx for better stability and to try PSFree, or is it better to stay on 6.72 for now? I'm mainly looking for the most stable option at the moment.

 

[danteswap]

@newkritos1 well my advise would be to stay on the lowest possible firmware you can for possible hypervisor exploits in future because you can still use y2jb with lapse kernel exploit on the firmware you are on and it's pretty stable as others say

i am on 9.40 and it is stable, i used extended storage method for jailbreak without losing any data, so you can try that too if you have an external storage device with minimum capacity of 256 GB, but at last it's your personal choice

 

[raymondclow]

I've been in the scene since the original xbox came along and I've seen how much it has developed, I have always been a tinkerer and enjoy the hobby, I appreciate those with the knowledge to do all this.

I came across a PS5 with a 7.20 firmware two years ago, just when I thought I could jailbreak it I found out that I had to upgrade to the latest firmware to pair the disc to be able to use the bluray method, fast forward to now I am happy to enjoy all the new developments that have been moving along and fast.

For now even though I read all the time suggestions on whether I should upgrade to a higher firmware, I believe it is safe to stay where I'm at just like with my PS4 that's been at 9.00 for the longest.

Once again ...thank you all for the efforts so that we can enjoy the hobby even more!

 

[Capston]

PSFree Webkit works very well. Thank you for making things easier for us. Version 9.00 is very good and stable. I will continue to use this version.

 

[ZakkusuFea]

I came from 7.50FW, spending hours on dealing with 'not enough free system memory' and now I’ve upgraded to 9.00FW and using PSFree WebKit, which has made my life so much easier. I’m excited and looking forward to the future.

I am truly grateful for this community and the Devs. Big shout-out and thanks to the Devs for making it this far and continuing to develop.

 

[Pazmaniac]

thru my many years of stalking the console modding scene i've never had a point to where i couldn't keep up with it... ladies and gentlemen we have arrived and i couldn't be happier.

thank you to all the ones i've watched from the shadows over the years as you all do gods work and never receive the praise you deserve! here's to many more developments and discoveries.