PS5 3.xx / 4.xx Kernel Exploit

---

Summary

This repo contains an experimental WebKit ROP implementation of a PS5 kernel exploit based on TheFlow's IPV6 Use-After-Free (UAF), which was reported on HackerOne. The exploit strategy is for the most part based on TheFlow's BSD/PS4 PoC with some changes to accommodate the annoying PS5 memory layout (for more see Research Notes section). It establishes an arbitrary read / (semi-arbitrary) write primitive. This exploit and its capabilities have a lot of limitations, and as such, it's mostly intended for developers to play with to reverse engineer some parts of the system.

With latest stability improvements, reliability is at about 80%. This document will contain research info about the PS5, and this exploit will undergo continued development and improvements as time goes on.

Those interested in contributing to PS5 research/dev can join a discord I have setup here.

Exploit should now support the following firmwares:

• 3.00
• 3.10
• 3.20
• 3.21
• 4.00
• 4.02
• 4.03
• 4.50
• 4.51

Currently Included

• Obtains arbitrary read/write and can run a basic RPC server for reads/writes (or a dump server for large reads) (must edit your own address/port into the exploit file on lines 673-677)
• Enables debug settings menu (note: you will have to fully exit settings and go back in to see it).
• Gets root privileges

Limitations

• This exploit achieves read/write, but not code execution. This is because we cannot currently dump kernel code for gadgets, as kernel .text pages are marked as eXecute Only Memory (XOM). Attempting to read kernel .text pointers will panic!
• As per the above + the hypervisor (HV) enforcing kernel write protection, this exploit also cannot install any patches or hooks into kernel space, which means no homebrew-related code for the time being.
• Clang-based fine-grained Control Flow Integrity (CFI) is present and enforced.
• Supervisor Mode Access Prevention/Execution (SMAP/SMEP) cannot be disabled, due to the HV.
• The write primitive is somewhat constrained, as bytes 0x10-0x14 must be zero (or a valid network interface).
  • Though due to newer work using pipes, full arbitrary read/write is now possible

Prerequisites

• Python 3.x (tested with Python 3.6+)
• A PS5 console on firmware 3.00, 3.10, 3.20, 3.21, 4.02, 4.03, 4.50, or 4.51
• A computer on the same network as your PS5
• OpenSSL (for generating SSL certificates if needed)

Setup

1. Clone the Repository

git clone https://github.com/GizzZmo/PS5-IPV6-Kernel-Exploit.git
cd PS5-IPV6-Kernel-Exploit

2. Configure DNS

Edit dns.conf and replace 10.0.0.193 with your computer's IP address:

A manuals.playstation.net YOUR_IP_ADDRESS

3. Configure Server Scripts (Optional)

If you want to use the RPC or dump servers, you'll need to update the IP addresses in:

• klogclient.py (line 8)
• sendelf.py (line 8)

And in document/en/ps5/exploit.js (lines 673-677) with your server's IP address in binary form.

How to use

Running the Exploit

1. Start the fake DNS server:

   python3 fakedns.py -c dns.conf

2. Start the HTTPS server (in a new terminal):

   python3 host.py

3. Configure your PS5:

   • Go to Settings → Network → Settings → Set Up Internet Connection
   • Select your network (Wi-Fi or LAN)
   • Choose "Custom" setup
   • Set DNS Settings to "Manual"
   • Set Primary DNS to your computer's IP address
   • Set Secondary DNS to 0.0.0.0
   • Complete the rest of the setup with default settings

4. Run the exploit:

   • On your PS5, go to Settings → Users and Accounts → Other → User Guide
   • Accept the certificate warning when prompted
   • The exploit should run automatically
   • Note: If the manual doesn't load, try restarting your PS5

5. Optional - Run additional servers:

   For logging:

   python3 logserver.py

   For RPC (read/write commands):

    python3 rpcserver.py

   For dumping memory:

   python3 dumpserver.py

For a condensed end-to-end checklist you can reference offline, see document/wiki/howto.md.

Using the ELF Loader

Once the exploit completes successfully:

1. The PS5 will run a server on port :9020
2. Send your ELF file from your computer:

   python3 sendelf.py path/to/your/elf

3. The ELF will be loaded and executed on the PS5

Relocations & dynamic linking

• Supported AMD64 RELA relocations now include R_X86_64_RELATIVE, R_X86_64_64, R_X86_64_GLOB_DAT, and R_X86_64_JUMP_SLOT (unused R_X86_64_NONE entries are skipped).
• Dynamic sections are parsed to resolve DT_NEEDED, symbol, and string tables; undefined symbols are resolved with sys_dynlib_dlsym so dynamically linked payloads can import from already-loaded SPRX modules.
• Each symbol is cached during relocation. Unhandled relocation types are logged once to aid troubleshooting.
• Additional details live in document/wiki/relocations.md.

Sending Kernel Logs

To receive kernel logs from the PS5:

python3 klogclient.py

Note: Update the IP address in klogclient.py to match your PS5's IP

Troubleshooting

• Manual won't load: Try restarting your PS5 and ensure DNS settings are correct
• Certificate error: Accept the untrusted certificate when prompted
• Exploit fails: This is normal - current reliability is ~80-90%. Simply try again
• Connection timeout: Verify your firewall isn't blocking Python or the required ports
• DNS not working: Ensure fakedns.py is running and your PS5 is using the correct DNS settings

Project Structure

PS5-IPV6-Kernel-Exploit/
├── document/
│   └── en/
│       └── ps5/
│           ├── exploit.js       # Main exploit code
│           ├── index.html       # Entry point HTML
│           ├── int64.js         # 64-bit integer utilities
│           ├── rop.js           # ROP chain implementation
│           ├── webkit.js        # WebKit exploit primitives
│           └── offsets/         # Firmware-specific offsets
│               ├── 3.00.js
│               ├── 3.20.js
│               ├── 4.02.js
│               └── ...
├── fakedns.py                   # DNS server to redirect PS5 traffic
├── host.py                      # HTTPS server for exploit delivery
├── rpcserver.py                 # RPC server for read/write operations
├── dumpserver.py                # Server for dumping memory
├── logserver.py                 # Server for receiving logs
├── klogclient.py                # Client to receive kernel logs
├── sendelf.py                   # Client to send ELF files
├── dns.conf                     # DNS configuration
├── localhost.pem                # SSL certificate
└── README.md                    # This file

Future work

• Fix-up sockets to exit browser cleanly (top prio)
• Write some data patches (second prio)
  • Enable debug settings
  • Patch creds for uid0
  • Jailbreak w/ cr_prison overwrite
• Improve UAF reliability
• Improve victim socket reliability (third prio)
• Use a better / more consistent leak target than kqueue (no longer necessary)
• Make ELF loader support relocations
  • Add support for more relocations and dynamic linkage

Using ELF Loader

To use the ELF loader, run the exploit until completion. Upon completion it'll run a server on port :9020. Connect and send your ELF to the PS5 over that port and it'll run it. Assuming the ELF doesn't crash the browser, it can continue to run ELFs forever.

Exploit Stages

This exploit works in 5 stages, and for the most part follows the same exploit strategy as theflow's poc.

1. Trigger the initial UAF on ip6_pktopts and get two sockets to point to the same pktopts / overlap (master socket <-> overlap spray socket)
2. Free the pktopts on the master socket and fake it with an ip6_rthdr spray containing a tagged tclass overlap.
3. Infoleak step. Use pktopts/rthdr overlap to leak a kqueue from the 0x200 slab and pktopts from the 0x100 slab.
4. Arbitrary read/write step. Fake pktopts again and find the overlap socket to use IPV6_RTHDR as a read/write primitive.
5. Cleanup + patch step. Increase refcount on corrupted sockets for successful browser exit + patch data to enable debug menu and patch ucreds for uid0.
6. Run ELF loader server that will accept and load/run ELFs. Currently WIP, does not support relocations at the moment.

Stability Notes

Stability for this exploit is at about 30% 80-90%, and has two potential points of failure. In order of observed descending liklihood:

1. Stage 1 fails to reclaim the UAF, causing immediate crash or latent corruption that causes crash.
2. Stage 4 fails to find a victim socket

Research Notes

• It appears based on various testing and dumping with the read primitive, that the PS5 has reverted back to 0x1000 page size compared to the PS4's 0x4000.

  • After further research, the page size is indeed still 0x4000, however due to some insane allocator changes, different slabs can be allocated in the same virtual page.

• It also seems on PS5 that adjacent pages rarely belong to the same slab, as you'll get vastly different data in adjacent pages. Memory layout seems more scattered.

• Often when the PS5 panics (at least in webkit context), there will be awful audio output as the audio buffer gets corrupted in some way.

• Sometimes this audio corruption persists to the next boot, unsure why.

• Similar to PS4, the PS5 will require the power button to be manually pressed on the console twice to restart after a panic.

• It is normal for the PS5 to take an absurd amount of time to reboot from a panic if it's isolated from the internet (unfortunately). Expect boot to take 3-4 minutes.

Wiki (offline mirror)

This repository ships wiki-style documentation under document/wiki/ for easy mirroring:

• document/wiki/howto.md – quick start & runbook.
• document/wiki/relocations.md – loader relocation and dynamic linking notes.

Contributors / Special Thanks

• Andy Nguyen / theflow0 - Vulnerability and exploit strategy
• ChendoChap - Various help with testing and research
• Znullptr - Research/RE
• sleirsgoevy - Research/RE + exploit strat ideas
• bigboss - Research/RE
• flatz - Research/RE + help w/ patches
• zecoxao - Research/RE
• SocracticBliss - Research/RE
• laureeeeeee - Background low-level systems knowledge and assistance

Contributing

Contributions are welcome! Please read CONTRIBUTING.md for guidelines on how to contribute to this project.

Those interested in contributing to PS5 research/dev can join the discord server here.

Thanks to testers

• Dizz (4.50/4.51)

License

This project is licensed under the MIT License - see the LICENSE file for details.