After almost two years, researchers have finally achieved the milestone of breaking the security of PlayStation The PS5 has been jailbroken and cracked wide open marking the first significant hack on the system since its launch in 2020.
Popular gamer and streamer Lance McDonald posted a video of his newly jailbroken PS5 console on Twitter showing off some of the now-enabled settings. Most notable is the new ability to install custom packages. Other features include enabling developer options and even hidden dev tools while running games.
It's... beautiful.— Lance McDonald (@manfightdragon) October 3, 2022
The PlayStation 5 has been jailbroken. pic.twitter.com/54fvBGoQGw
But before Lance tweeted, another security and exploit developer SpecterDev published his implementation of the PS5 IPV6 Kernel exploit. His research relies on the Webkit vulnerability as an entry point, meaning it will work on any PS5 (including PS5 Digital edition) running firmware 4.03. Lower firmware might work as the exploit may need tweaking. Higher firmware will not work at the moment as they are not vulnerable to the Webkit exploit.
SpecterDev warns about the significant limitations of this exploit which are -
- The exploit is fairly unstable, and in his experience will work about 30% of the time. If you are trying to run it, don’t give up, it might require several attempts before the exploit gets through
- Possibly more important, this exploit gives us to read/write access, but no execution! This means no possibility to load and run binaries at the moment, everything is constrained within the scope of the ROP chain. The current implementation does however enable debug settings.
Limitations of the SpecterDev Exploit
- This exploit achieves read/write, but not code execution. This is because we cannot currently dump kernel code for gadgets, as kernel .text pages are marked as eXecute Only Memory (XOM). Attempting to read kernel .text pointers will panic!
- As per the above + the hypervisor (HV) enforcing kernel write protection, this exploits also cannot install any patches or hooks into kernel space, which means no homebrew-related code for the time being.
- Clang-based fine-grained Control Flow Integrity (CFI) is present and enforced.
- Supervisor Mode Access Prevention/Execution (SMAP/SMEP) cannot be disabled, due to the HV.
- The write primitive is somewhat constrained, as bytes 0x10-0x14 must be zero (or a valid network interface).
- The exploit's stability is currently poor. More on this is below.
- On a successful run, exit the browser with the circle button, PS button panics for a currently unknown reason.
How to Jailbreak PS 5
To use SpecterDev’s exploit you will need Python and as his exploit relies on the Webkit vulnerability so you need to run a web server on your local PC for your PS5 to access. After that just follow the below steps to jailbreak PS 5 4.03 -
- Configure fakedns via dns.conf to point manuals.playstation.net to your PCs IP address
- Run fake dns: python fakedns.py -c dns.conf
- Run HTTPS server: python host.py
- Go into PS5 advanced network settings and set primary DNS to your PCs IP address and leave secondary at 0.0.0.0
- Sometimes the manual still won’t load and a restart is needed, unsure why it’s really weird
- Go to the user manual in settings and accept the untrusted certificate prompt, run
- Optional: Run rpc/dump server scripts (note: address/port must be substituted in binary form into exploit.js)