{"id":86085,"date":"2022-10-03T23:25:04","date_gmt":"2022-10-03T23:25:04","guid":{"rendered":"https:\/\/harchi90.com\/new-ps5-exploit-unlocks-root-privileges-read-write-memory-access\/"},"modified":"2022-10-03T23:25:04","modified_gmt":"2022-10-03T23:25:04","slug":"new-ps5-exploit-unlocks-root-privileges-read-write-memory-access","status":"publish","type":"post","link":"https:\/\/harchi90.com\/new-ps5-exploit-unlocks-root-privileges-read-write-memory-access\/","title":{"rendered":"New PS5 exploit unlocks root privileges, read\/write memory access"},"content":{"rendered":"<div itemprop=\"articleBody\">\n<figure class=\"intro-image intro-left\">\n  <figcaption class=\"caption\">\n<div class=\"caption-text\">enlarge <span class=\"sep\">\/<\/span> Hackers are getting closer to fully unlocking user control of the PS5 hardware.<\/div>\n<p>Sony<\/p>\n<\/figcaption><\/figure>\n<aside id=\"social-left\" class=\"social-left\" aria-label=\"Read the comments or share this article\">\n<\/aside>\n<p><!-- cache hit 548:single\/related:c58a4de74a74403359aceb0202f736ed --><!-- empty --><\/p>\n<p>Long-time console hacker and exploit developer <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/SpecterDev\" target=\"_blank\">SpecterDev<\/a> has released a PS5 exploit that can give users root privileges and read\/write access to large chunks of system memory.  While this exploit can&#8217;t be used to actually <em>execute<\/em> arbitrary code just yet, it represents an important step toward getting homebrew code running on the console.<\/p>\n<p>The exploit, released this weekend, makes use of a FreeBSD vulnerability in the system OS that was reported to PlayStation&#8217;s HackerOne bounty program in January (a very similar vulnerability on the PS4 was reported to PlayStation in 2020).  Making use of the exploit relies on setting up a fake DNS server on your local network such that accessing the PS5&#8217;s on-screen manual (which is loaded via the system&#8217;s hidden web browser) points instead to a page on your local PC.<\/p>\n<p>From there, the exploit uses an error in how the PS5&#8217;s browser implementation handles memory locking while setting IPv6 socket headers.  While the details get pretty technical, the exploit essentially sets up a race condition to access that exposed socket header memory before it&#8217;s fully locked.  That small bit of access is then used as a hook to start reading and writing arbitrary data into large areas of the PS5&#8217;s memory via an RPC server on the host machine.<\/p>\n<h2>Limitations<\/h2>\n<p>Because this exploit relies on a race condition, SpecterDev warns that it only works about 30 percent of the time and might lead to multiple kernel panics (and subsequent lengthy system restarts) before read\/write access is successfully obtained.  The exploit also can&#8217;t currently write to low-level &#8220;kernel space&#8221; (which is still protected by an intact hypervisor) or even execute any code that a user might write to user space (which relies on areas of &#8220;Execute Only Memory&#8221; that are still protected).<\/p>\n<aside class=\"ad_wrapper\" aria-label=\"In Content advertisement\">\n    <span class=\"ad_notice\">Advertisement <\/span>    <\/p>\n<\/aside>\n<p>Still, the exploit provides access to the PS5&#8217;s debug menu, as hacker Lance McDonald <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/manfightdragon\/status\/1576768394707161088\" target=\"_blank\">demonstrated in a tweet last night<\/a>.  It also provides PS5 hackers with an entry point to learn more about the PS5&#8217;s memory and security systems and could serve as a potential beachhead for developing a fully homebrew-compatible hack for the console.  That said, SpecterDev warns that &#8220;homebrew will take a lot of effort&#8221; because of the aforementioned security protections that are still intact.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">It&#8217;s&#8230; beautiful.<\/p>\n<p>The PlayStation 5 has been jailbroken. <a rel=\"nofollow\" href=\"https:\/\/t.co\/54fvBGoQGw\" target=\"_blank\">pic.twitter.com\/54fvBGoQGw<\/a><\/p>\n<p>\u2014 Lance McDonald (@manfightdragon) <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/manfightdragon\/status\/1576768394707161088?ref_src=twsrc%5Etfw\" target=\"_blank\">October 3, 2022<\/a><\/p>\n<\/blockquote>\n<p>While this exploit currently works on version 4.3 of the PS5 firmware (released last October), SpecterDev speculates that some slight changes could get a similar exploit to work on firmware version 4.5 (released last December).  Sony marked the issue as &#8220;resolved&#8221; on HackerOne in April, though, suggesting that the same vulnerability probably won&#8217;t work in firmware versions released since then.<\/p>\n<p>That makes SpecterDev&#8217;s entry point different from a distinct, &#8220;essentially unpatchable&#8221; PS5 exploit revealed by hacker CTurt earlier this month.  That method made use of a separate issue with the PS5&#8217;s &#8220;just-in-time&#8221; compilation of emulated PS2-on-PS4 games to gain a hook into the console&#8217;s &#8220;user space&#8221; memory to write and run homebrew code.<\/p>\n<p>While the days of regular PS5 owners being able to install their own homebrew apps on the PS5 may still be a ways off, the hacking community won&#8217;t rest until that time arrives.<\/p>\n<\/p><\/div>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>enlarge \/ Hackers are getting closer to fully unlocking user control of the PS5 hardware. Sony Long-time console hacker and exploit developer SpecterDev has released a PS5 exploit that can give users root privileges and read\/write access to large chunks of system memory. While this exploit can&#8217;t be used to actually execute arbitrary code just &hellip;<\/p>\n<p class=\"read-more\"> <a class=\"\" href=\"https:\/\/harchi90.com\/new-ps5-exploit-unlocks-root-privileges-read-write-memory-access\/\"> <span class=\"screen-reader-text\">New PS5 exploit unlocks root privileges, read\/write memory access<\/span> Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-global-header-display":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[4],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":85268,"url":"https:\/\/harchi90.com\/released-ps5-kernel-exploit-webkit-vulnerability-for-firmware-4-03\/","url_meta":{"origin":86085,"position":0},"title":"Released!  PS5 Kernel exploit + Webkit vulnerability for Firmware 4.03","date":"October 3, 2022","format":false,"excerpt":"Oh, wow, only a few hours after tweeting that this needed to be \u201cironed out\u201d, SpecterDev has now published his implementation of the PS5 IPV6 Kernel exploit! This release relies on the Webkit vulnerability as an entry point, meaning it will work on any PS5 (including PS5 Digital edition) running\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/wololo.net\/wagic\/wp-content\/uploads\/2022\/10\/PS5_debug_settings_specterdev-1-1024x576.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":85848,"url":"https:\/\/harchi90.com\/new-ps5-kernel-exploit-seemingly-lets-someone-run-kojimas-pt\/","url_meta":{"origin":86085,"position":1},"title":"New PS5 Kernel Exploit Seemingly Lets Someone Run Kojima&#8217;s PT","date":"October 3, 2022","format":false,"excerpt":"Image: Sony \/ KotakuHackers have been circling the PS5 for almost a year nowand it appears they may have finally managed to jailbreak the 2020 hardware with a new kernel-level exploit first discovered on the PS4. While it doesn't allow access to execute certain types of code, the exploit has\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":18980,"url":"https:\/\/harchi90.com\/ps5-bd-jb-exploit-bdj-sdk-updated\/","url_meta":{"origin":86085,"position":2},"title":"PS5 BD-JB exploit: BDJ-SDK updated","date":"July 19, 2022","format":false,"excerpt":"Developer John Tornblom has pushed multiple updates to his BDJ-SDK github, a repository that contains the latest and greatest files for the PS5 DB-JB exploit toolchain. BDJ-SDK: what's new Since his initial release, here's what's been added to the repo: Use FileFileIO in favor of FileURLConnection Support for more FileIO\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/wololo.net\/wagic\/wp-content\/uploads\/2022\/04\/ps5_prospero_large.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":85744,"url":"https:\/\/harchi90.com\/ps5-has-seemingly-been-jailbroken-and-people-are-already-installing-pt-on-it\/","url_meta":{"origin":86085,"position":3},"title":"PS5 Has Seemingly Been Jailbroken, and People are Already Installing PT on It","date":"October 3, 2022","format":false,"excerpt":"Sony's PlayStation 5 seems to have been jailbroken \u2013 so of course, people are installing PTPlayStation modders SpecterDev unveiled the new jailbreak earlier today \u2013 an experimental IPV6 kernel exploit for the PS5. This jailbreak relies on a WebKit vulnerability as an entry point, so it will only work on\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"fifu_image_url":"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/10\/ps5-760x380.jpg","_links":{"self":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts\/86085"}],"collection":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/comments?post=86085"}],"version-history":[{"count":0,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts\/86085\/revisions"}],"wp:attachment":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/media?parent=86085"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/categories?post=86085"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/tags?post=86085"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}