The PS5 Has Been Jailbroken - Custom Packages Can Now Be Installed

[chiobu]

The PS5 has been jailbroken and cracked wide open marking the first major hack on the system since its launch back in 2020. While hackers have managed to infiltrate the console up to this point, none of them have been able to access the console’s debug options and install custom packages until now.

Notorious hacker Lance McDonald posted a video of his newly jailbroken PS5 console on Twitter showing off some of the now-enabled settings. Most notably is the new ability to install custom packages. Other features include enabling developer options and even hidden dev tools while running games.

Of course, the most exciting part of the PS5 jailbreak comes at the end of the video where the hacker installs the infamous Silent Hills P.T Demo which was officially delisted from the PlayStation Store a few years ago. The hacker doesn’t show the game launching but the fact that it can be installed is a huge step towards installing and playing games which are not officially licensed for the PS5.

This PS5 jailbreak marks quite a big step towards enabling homebrew on the console too. Both the PS3 and PS4 are currently jailbroken and can be used to install custom themes, games, emulators and even unofficial game patches including the Bloodborne 60FPS patch. The patch is something you can’t install on your PS4 unless you have it jailbroken and hacked.

Sadly, the hacker didn’t share any specific details on how the jailbreak took place. We don’t know if it was a software or hardware-related loophole at this stage. He likely kept his process a secret to avoid Sony patching and fixing it almost instantly.

It is still too early to tell what will come from this exploit. However, apart from the piracy issues surrounding jailbroken PS5 consoles, the homebrew community might find ways to create unique apps and experiences on the console. In fact, this exploit might result in a way for users to emulate PS3 games on the console. Something Sony has failed to work on.

https://www.glitched.online/the-ps5-has-been-jailbroken-custom-packages-can-now-be-installed/ (Archive)

 

[ZMOT]

buckbroken you mean

>ps5 piracy
the ps5 has games to pirate?

 

[Epic Fail Man]

buckbroken you mean

>ps5 piracy
the ps5 has games to pirate?

I guess this is how Sony wins. Make people buy a $500 piece of plastic and have nothing of value of being hacked.

 

[broners]

Notorious hacker Lance McDonald posted a video of his newly jailbroken PS5 console on Twitter showing off some of the now-enabled settings. Most notably is the new ability to install custom packages. Other features include enabling developer options and even hidden dev tools while running games.

It just unlocks the debug menu with the official package installer, which lets you install any legitimate package you've downloaded, e.g. unmodified games and updates. If you install unsigned/unencrypted games this way they just won't work.
The writer has incorrectly conflated other things Lance McDonald does with what this jailbreak does, for some reason.

Of course, the most exciting part of the PS5 jailbreak comes at the end of the video where the hacker installs the infamous Silent Hills P.T Demo which was officially delisted from the PlayStation Store a few years ago. The hacker doesn’t show the game launching but the fact that it can be installed is a huge step towards installing and playing games which are not officially licensed for the PS5.

No, this is nothing groundbreaking and can be done just by installing it on a hacked PS4, then moving it to the PS5 via external storage. This does not allow you to run the game; installing unsupported PS4 games on the PS5 is very easy and can be done without hacking it, but they'll still be checked against the whitelist once installed and you won't be able to run them, it just tells you to fuck off.

Sadly, the hacker didn’t share any specific details on how the jailbreak took place. We don’t know if it was a software or hardware-related loophole at this stage. He likely kept his process a secret to avoid Sony patching and fixing it almost instantly.

The exploit is already public, has already been fixed and requires your console being on an old firmware.

tl;dr: This hack is a proof-of-concept with no practical use to normal people, and the author of this article quickly shat it out with no understanding of what he's talking about.

 

[Ronnie McNutt]

this is cool and all but i genuinely don't know anybody that has a ps5 because of the scalpniggers (and also the lack of games exclusive to the console itself)

 

[Involuntary Celebrity]

lol eat shit if you didn't wake up every day at 6am to mash F5 back when stores were announcing stock waves

has already been fixed and requires your console being on an old firmware.

Dope, thanks. I was excited to see what developed when this first came out, and I haven't turned it on for six months so I'm unplugging it now.

>ps5 piracy
the ps5 has games to pirate?

But when they do (or it's something I'd just rather play on my projector and I'm too lazy to move the HDMI cable) they're like $30 more expensive than on other platforms so this can't happen soon enough.
I haven't really cared about burning money in it so far but when it's possible I'll do it out of spite.

 

[BrunoMattei]

But the system has no games.

 

[A-Stump]

Cool that'll be handy in 2050 when I can actually get one

 

[Miller]

buckbroken you mean

>ps5 piracy
the ps5 has games to pirate?

There's the direct-to-bluray directed by Neil Druckmann but it's already on Youtube and for free too.

 

[Smaug's Smokey Hole 2]

If it gets completely jailbroken people will make it PS2 backwards compatible within weeks.

 

[Love Machine]

But has it been buck broken?

 

[Mega Black]

Can't wait to watch pirated movies on the most expensive DVD player ever invented.

 

[I'm Retarded?]

imagine buying a $500 console and carefully ensuring it's updated to an extremely specific firmware version so you can install some guy's exploit - risking the total loss of your purchase if the system bricks - which allows you to break some but not all of the OS controls so you can maybe install some arbitrary software, if it's been prepared in an extremely specific way. just build a PC already faggot

 

[RSLUG30]

imagine buying a $500 console and carefully ensuring it's updated to an extremely specific firmware version so you can install some guy's exploit - risking the total loss of your purchase if the system bricks - which allows you to break some but not all of the OS controls so you can maybe install some arbitrary software, if it's been prepared in an extremely specific way. just build a PC already faggot

don't forget that this also lets you cheat in all ps5 exclusive games, such as;

and can't forget

 

[Lord Xenu]

@SpecterDev just released his implementation of TheFl0w's previously disclosed IPV6 kexploit. It targets firmware version 4.03 (it could also work on 4.50). It is unstable with approximately 30% success rate.

# PS5 4.03 Kernel Exploit
---
## Summary
This repo contains an experimental WebKit ROP implementation of a PS5 kernel exploit based on **TheFlow's IPV6 Use-After-Free (UAF)**, which was [reported on HackerOne](https://hackerone.com/reports/1441103). The exploit strategy is for the most part based on TheFlow's BSD/PS4 PoC with some changes to accommodate the annoying PS5 memory layout (for more see *Research Notes* section). It establishes an arbitrary read / (semi-arbitrary) write primitive. This exploit and its capabilities have a lot of limitations, and as such, it's mostly intended for developers to play with to reverse engineer some parts of the system.

Also note; stability is fairly low, especially compared to PS4 exploits. This is due to the bug's nature of being tied to a race condition as well as the mitigations and memory layout of the PS5. This document will contain research info about the PS5, and this exploit will undergo continued development and improvements as time goes on.

This could possibly work on 4.50 as well via substituting valid 4.50 gadget offsets + kernel slides, but that will be for future work.



## Currently Included

- Obtains arbitrary read/write and can run a basic RPC server for reads/writes (or a dump server for large reads) (must edit your own address/port into the exploit file on lines 673-677)
- Enables debug settings menu (note: you will have to fully exit settings and go back in to see it).
- Gets root privileges




## Limitations
- This exploit achieves read/write, **but not code execution**. This is because we cannot currently dump kernel code for gadgets, as kernel .text pages are marked as eXecute Only Memory (XOM). Attempting to read kernel .text pointers will panic!
- As per the above + the hypervisor (HV) enforcing kernel write protection, this exploit also **cannot install any patches or hooks into kernel space**, which means no homebrew-related code for the time being.
- Clang-based fine-grained Control Flow Integrity (CFI) is present and enforced.
- Supervisor Mode Access Prevention/Execution (SMAP/SMEP) cannot be disabled, due to the HV.
- The write primitive is somewhat constrained, as bytes 0x10-0x14 must be zero (or a valid network interface).
- The exploit's stability is currently poor. More on this below.
- On successful run, **exit the browser with circle button, PS button panics for a currently unknown reason**.



## How to use

1. Configure fakedns via `dns.conf` to point `manuals.playstation.net` to your PCs IP address
2. Run fake dns: `python fakedns.py -c dns.conf`
3. Run HTTPS server: `python host.py`
4. Go into PS5 advanced network settings and set primary DNS to your PCs IP address and leave secondary at `0.0.0.0`
1. Sometimes the manual still won't load and a restart is needed, unsure why it's really weird
5. Go to user manual in settings and accept untrusted certificate prompt, run
6. Optional: Run rpc/dump server scripts (note: address/port must be substituted in binary form into exploit.js).



## Future work
- [x] ~~Fix-up sockets to exit browser cleanly (top prio)~~
- [ ] Write some data patches (second prio)
- [x] ~~Enable debug settings~~
- [x] ~~Patch creds for uid0~~
- [ ] Jailbreak w/ cr_prison overwrite
- [ ] Improve UAF reliability
- [ ] Improve victim socket reliability (third prio)
- [ ] Use a better / more consistent leak target than kqueue



## Using RPC and Dumping Kernel .data

**RPC**

RPC is a very simple and limited setup.

1. Edit your IP+port (if changed) into exploit.js.
2. Run the server via `python rpcserver.py`, allow the PS5 to connect when the exploit finishes. The PS5 will send the kernel .data base address in ASCII and you can then send read and write commands. Example is below.

```
[RPC] Connection from: ('10.0.0.169', 59335)
[RPC] Received kernel .data base: 0x0xffffffff88530000
> r 0xffff81ce0334f000
42 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00
> w 0xffff81ce0334f004 0x1337
Wrote qword.
```

This setup is somewhat jank and a better system will be in place soon.

**Dump**

1. Edit your IP+port (if changed) into exploit.js.
2. Comment the RPC code in exploit.js and uncomment dumper code.
3. Run the server via `python dumpserver.py`, allow the PS5 to connect and start dumping when exploit finishes. It will continue to dump data from the kernel base until it panics due to hitting unmapped memory. Note: read is somewhat slow at ~200kbps, so it may take 10 minutes or so to complete.



## Exploit Stages
This exploit works in 5 stages, and for the most part follows the same exploit strategy as theflow's poc.
1) Trigger the initial UAF on `ip6_pktopts` and get two sockets to point to the same `pktopts` / overlap (master socket <-> overlap spray socket)
2) Free the `pktopts` on the master socket and fake it with an `ip6_rthdr` spray containing a tagged `tclass` overlap.
3) Infoleak step. Use `pktopts`/`rthdr` overlap to leak a kqueue from the 0x200 slab and `pktopts` from the 0x100 slab.
4) Arbitrary read/write step. Fake `pktopts` again and find the overlap socket to use `IPV6_RTHDR` as a read/write primitive.
4) Cleanup + patch step. Increase refcount on corrupted sockets for successful browser exit + patch data to enable debug menu and patch ucreds for uid0.



## Stability Notes
Stability for this exploit is at about 30%, and has multiple potential points of failure. In order of observed descending liklihood:
1) *Stage 1* causes more than one UAF due to failing to catch one or more in the reclaim, causing latent corruption that causes a panic some time later on.
2) *Stage 4* finds the overlap/victim socket, but the pktopts is the same as the master socket's, causing the "read" primitive to just read back the pointer you attempt to read instead of that pointer's contents. This needs some improvement and to be fixed if possible because it's really annoying.
3) *Stage 1*'s attempt to reclaim the UAF fails and something else steals the pointer, causing immediate panic.
4) The kqueue leak fails and it fails to find a recognized kernel .data pointer.
4) Leaving the browser through "unusual" means such as PS button, share button, or browser crash, will panic the kernel. Needs to be investigated.



## Research Notes
- It appears based on various testing and dumping with the read primitive, that the PS5 has reverted back to 0x1000 page size compared to the PS4's 0x4000.
- It also seems on PS5 that adjacent pages rarely belong to the same slab, as you'll get vastly different data in adjacent pages. Memory layout seems more scattered.
- Often when the PS5 panics (at least in webkit context), there will be awful audio output as the audio buffer gets corrupted in some way.
- Sometimes this audio corruption persists to the next boot, unsure why.
- Similar to PS4, the PS5 will require the power button to be manually pressed on the console twice to restart after a panic.
- It is normal for the PS5 to take an absurd amount of time to reboot from a panic if it's isolated from the internet (unfortunately). Expect boot to take 3-4 minutes.



## Contributors / Special Thanks
- [Andy Nguyen / theflow0](https://twitter.com/theflow0) - Vulnerability and exploit strategy
- [ChendoChap](https://github.com/ChendoChap) - Various help with testing and research
- [Znullptr](https://twitter.com/Znullptr) - Research/RE
- [sleirsgoevy](https://twitter.com/sleirsgoevy) - Research/RE + exploit strat ideas
- [bigboss](https://twitter.com/psxdev) - Research/RE
- [flatz](https://twitter.com/flat_z) - Research/RE + help w/ patches
- [zecoxao](https://twitter.com/notzecoxao) - Research/RE
- [SocracticBliss](https://twitter.com/SocraticBliss) - Research/RE
- laureeeeeee - Background low-level systems knowledge and assistance

 

[Sithis]

I'll wait till they're a bit easier to acquire a replacement before I risk mine but this could prove interesting, especially in an era where so many devs cuck and remove content via updates

 

[Oilspill Battery]

ok but why tho

Ps5s are rare, expensive and have no games. Instead of risking bricking your console for absolutely no gain (since no games) just sell it on ebay and buy a PC with the money you're gonna get.

 

[Daddy's Little Kitten]

A jailbroken PS5 is just a PC.

 

[tehpope]

A jailbroken PS5 is just a PC.

You could get a mini pc with a ryzen chipset for similar prices and emulate PS2 and PS3 games. Also play the recent titles in 1080p as well.

 

[IKOL]

buckbroken you mean

>ps5 piracy
the ps5 has games to pirate?

Just a few. God of War and Cyberpunk2077 are available on PC as well.