Technology

Released! PS5 Kernel exploit + Webkit vulnerability for Firmware 4.03

Oh, wow, only a few hours after tweeting that this needed to be “ironed out”, SpecterDev has now published his implementation of the PS5 IPV6 Kernel exploit!

This release relies on the Webkit vulnerability as an entry point, meaning it will work on any PS5 (including PS5 Digital edition) running firmware 4.03. Lower firmwares might work (although the exploit might need tweaking). Higher firmwares will not work at the moment (they are not vulnerable to the Webkit exploit)

PS5 4.03 Kernel exploit is here!

SpecterDev warns about significant limitations of this exploit. Notably:

  1. The exploit is fairly unstable, and in his experience will work about 30% of the time. If you are trying to run it, don’t give up, it might require several attempts before the exploit gets through
  2. Possibly more important, this exploit gives us read/write access, but no execute! This means no possibility to load and run binaries at the moment, everything is constrained within the scope of the ROP chain. The current implementation does however enable debug settings.

More precisely, from the exploit’s readme:

Currently Included

  • Obtains arbitrary read/write and can run a basic RPC server for reads/writes (or a dump server for large reads) (must edit your own address/port into the exploit file on lines 673-677)
  • Enables debug settings menu (note: you will have to fully exit settings and go back in to see it).
  • Gets root privileges

 

Download and run

You can download the hack here.

You will need Python to run SpecterDev’s implementation, and you will be running a webserver on your local PC for your PS5 to access.

  1. Configure fakedns via dns.conf to point manuals.playstation.net to your PCs IP address
  2. Run fake dns: python fakedns.py -c dns.conf
  3. Run HTTPS server: python host.py
  4. Go into PS5 advanced network settings and set primary DNS to your PCs IP address and leave secondary at 0.0.0.0
    1. Sometimes the manual still won’t load and a restart is needed, unsure why it’s really weird
  5. Go to user manual in settings and accept untrusted certificate prompt, run
  6. Optional: Run rpc/dump server scripts (note: address/port must be substituted in binary form into exploit.js)

This is a developing story, as more people will test and report on this hack in the days to come, so stay tuned!

Source: SpecterDev

Related Articles

Back to top button