Oh wow, just a few hours after tweeting this needed to be “ironed”, SpectreDev has now published its implementation of the PS5 IPV6 Kernel exploit!
This release is based on the Webkit vulnerability as an access point, meaning it will work on any PS5 (including PS5 Digital edition) with firmware 4.03. Lower firmwares might work (although the exploit may need tweaking). Higher firmwares currently do not work (they are not vulnerable to the Webkit exploit)
PS5 4.03 Kernel Exploit is here!
SpectreDev warns of significant limitations of this exploit. Remarkable:
The exploit is fairly unstable and in his experience will work about 30% of the time. If you try to run it, don’t give up, it may take several tries for the exploit to come through. More importantly, this exploit gives us read/write access, but no execution! This means there is currently no ability to load and run binaries, everything is restricted within the scope of the ROP chain. However, the current implementation allows for debug settings.
More precisely, from the exploit’s readme:
Currently included Gets random read/write and can run a basic RPC server for read/write (or a dump server for large reads) (you need to edit your own address/port in the exploit file on lines 673-677) Toggles debug settings menu in (note: you have to completely exit the settings and go back in to see it). Gains root privileges Restrictions This exploit achieves read/write, but no code execution. This is because we cannot currently dump kernel code for gadgets, as kernel.text pages are marked as eXecute Only Memory (XOM). Attempting to read kernel .text pointers will panic! According to the above + the hypervisor (HV) enforcing kernel write protection, this exploit also cannot install patches or hooks in the kernel space, meaning no homebrew related code for now. Clang-based fine grain Control Flow Integrity (CFI) is present and maintained. Supervisor Mode Access Prevention/Execution (SMAP/SMEP) cannot be disabled due to the HV. The write primitive is somewhat limited, as bytes 0x10-0x14 must be zero (or a valid network interface). The stability of the exploit is currently poor. More about this below. On successful execution, close the browser with the circle button, the PS button panics for a currently unknown reason. Stability Notes
The stability for this exploit is about 30% and has multiple potential points of failure. In order of perceived declining probability:
Phase 1 causes more than one UAF by not catching one or more in the chargeback, creating latent corruption that causes panic some time later. Phase 4 finds the overlap/victim socket, but the pktopts is the same as the master socket, so the “read” primitive just reads back the pointer you are trying to read rather than the contents of that pointer. This needs some improvement and should be fixed if possible as it is really annoying. Phase 1’s attempt to reclaim the UAF fails and something else steals the pointer, causing immediate panic. The kqueue leak fails and it cannot find a recognized kernel .data pointer.
In other words, this release is only useful for hackers, or those curious to dig into the insides of the PS5. Keep in mind, though, that despite its limitations, this is the very first public release of such a powerful hack for the PS5, meaning there’s bound to be new discoveries!
PS5 IPV6 Exploit showcase video
Scene member Echo Stretch managed to execute the exploit and provide us with a video of it in action, as seen below. The video shows the Debug menu and package installer unlocking on the PS5
Testing PS5 4.03 Kernel Exploit for Disc or Digital PS5@frwololo @ps4_hacking pic.twitter.com/K8p8j0owoq
— Echo Stretch (@StretchEcho) October 3, 2022
Download and run
You can download the hack here.
You’ll need Python to run the SpectreDev implementation, and you’ll be using a web server on your local PC that your PS5 can access.
Configure fakedns via dns.conf to point manuals.playstation.net to your PC’s IP address. Run fake dns: python fakedns.py -c dns.conf Run HTTPS server: python host.py Go to PS5’s advanced network settings and set primary DNS to your PC’s IP address and leave secondary on 0.0.0.0 Sometimes the manual still doesn’t load and needs a reboot, don’t know why it’s really weird Go to the user manual in settings and accept untrusted certificate prompt, run Optional: Run rpc/dump-server scripts (note op: address/port should be replaced in binary form with exploit.js)
This is a story in development as more people will test and report on this hack in the coming days, so stay tuned!