Home  ›  Ps4 6.20 Jailbreak May 2019

Ps4 6.20 Jailbreak May 2019

Written By Tuesday, November 9, 2021 Add Comment Edit

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Status
Not open for further replies.

Proceeding the release of PS4 Firmware 6.50, his previous PS4 Exploit Documentation, GH Clone Demo, the 6.20 Dev Build Strings and 6.50 Dev Build Strings as promised today @SpecterDev released via Twitter a PS4 6.20 WebKit Code Execution Exploit PoC (Proof-of-Concept) using CVE-2018-4441 to obtain RCE crediting lokihardt for the vulnerability used.

From the Tweets below, he states that unlike the PS4 6.XX JSC_ConcatMemcpy WebKit Exploit which wasn't a complete exploit, this one grants

code execution in userland

for PS4 scene developers! :love:

Download: PS4-6.20-WebKit-Code-Execution-Exploit-master.zip / GIT / Live Demo / 6.20-FS.zip (323 MB - FULL 6.20 Fs with modules, decrypted) / Kernel_Dump_620-1.zip (20.5 MB - 6.20 kernel) / 6.20 kernel offsets via LightningMods

:alert: For newbs: This is a 6.20 PS4 WebKit (Userland) exploit and not a Kernel-level exploit, meaning until a fully implemented 6.20 Kernel exploit is publicly available you won't be able to jailbreak these PlayStation 4 consoles so don't update!

:idea: Also for those that updated already, if you can't get a second jailbroken console to run PS4 game backups then while you're waiting for a PlayStation 4 jailbreak (no ETA) it's

recommended

to get a Verified Badge via Discord to access the private areas.

To quote from the README.md: PS4 6.20 WebKit Code Execution PoC

This repo contains a proof-of-concept (PoC) RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in wkexploit.js.

It will then setup a framework to run ROP chains in index.html and by default will provide two hyperlinks to run test ROP chains - one for running the sys_getpid() syscall, and the other for running the sys_getuid() syscall to get the PID and user ID of the process respectively.

Each file contains a comment at the top giving a brief explanation of what the file contains and how the exploit works. Credit for the bug discovery is to lokihardt from Google Project Zero (p0). The bug report can be found here.

Note: It's been patched in the 6.50 firmware update.

Files

Files in order by name alphabetically;

  • index.html - Contains post-exploit code, going from arb. R/W -> code execution.
  • rop.js - Contains a framework for ROP chains.
  • syscalls.js - Contains an (incomplete) list of system calls to use for post-exploit stuff.
  • wkexploit.js - Contains the heart of the WebKit exploit.

Notes

  • This vulnerability was patched in 6.50 firmware!
  • This only gives you code execution in userland. This is not a jailbreak nor a kernel exploit, it is only the first half.
  • This exploit targets firmware 6.20. It should work on lower firmwares however the gadgets will need to be ported, and the p.launchchain() method for code execution may need to be swapped out.
  • In my tests the exploit as-is is pretty stable, but it can become less stable if you add a lot of objects and such into the exploit. This is part of the reason why syscalls.js contains only a small number of system calls.

Usage

Setup a web-server hosting these files on localhost using xampp or any other program of your choosing. Additionally, you could host it on a server. You can access it on the PS4 by either;

  1. Fake DNS spoofing to redirect the manual page to the exploit page, or
  2. Using the web browser to navigate to the exploit page (not always possible).

Vulnerability Credit

I wrote the exploit however I did not find the vulnerability, as mentioned above the bug (CVE-2018-4441) was found by lokihardt from Google Project Zero (p0) and was disclosed via the Chromium public bug tracker.

Resources

  • Chromium Bug Report - The vulnerability.
  • Phrack: Attacking JavaScript Engines by saelo - A life saver. Exploiting this would have been about 1500x more difficult without this divine paper.

Thanks

  • lokihardt - The vulnerability
  • st4rk - Help with the exploit
  • qwertyoruiop - WebKit School
  • saelo - Phrack paper

PS4 6.20 WebKit Proof of Concept (PoC) via Stefanuk12

PS4 6.20 WebKit Code Execution Exploit PoC by SpecterDev!.jpg

PSXHAX

Live in Your World, HAX in Ours!

Hello World! I've been reporting on Sony PlayStation hacking news since 2000 and started PSXHAX in 2014 to cover PlayStation (PSX), PlayStation 2 (PS2), PlayStation 3 (PS3), PlayStation 4 (PS4), PlayStation Portable (PSP), PlayStation Vita (PS Vita), PlayStation TV (PS TV) and next-gen PlayStation 5 (PS5) platforms along with anything else of interest.

Click on my UserName author link above and you'll be able to view a filtered list of all of the articles I've contributed thus far to PSXHAX.COM.

If you enjoy gaming and would like to write (unpaid) for this site, Contact Us and we'll be happy to have ya join our Authors! :)

Comments

  • #241

Think this thread needs to be closed in my humble opinion its got to the point where its circling the drain just going round and round in circles lol

  • #242

Why 3 months for an exploit? It could be forever at this rate if Sony never patches it lol we would be lucky to see an exploit in 2019 at all as far as I can see...

AlanXPG

  • #243

Are the people still insisting on this? My God.

  • #244

He comes when he comes. It does not help asking and begging. The talk of a kernel exploit is really on the cookie and we deviate from the subject. This is just about the webexploit and nothing else.

HackYourPS4

  • #245

@lucasnooker
There are no plans of releasing kexploit. Maybe later, but no eta or any promises. Simply buy 5.05 fw console and stop waiting for miracle, it wont happen any time soon. There are plenty places where you can buy 5.05 or lower fw new consoles for ~250 USD.

UltraLex

  • #246

I wonder if I could get good money for my 5.05 PS4?

  • #247

Seems we have to wait perhaps months

  • #248

Already have 5.05 ps4 lol but have to keep 2 ps4s for the sake of new releases all the time that I want to play. Would be nice to just have 1 ps4 to do it all but I guess that won't be possible until the ps5 launches or something xD

UltraLex

  • #250

When full expo is going to come!!

Status
Not open for further replies.
  • Tags
    2019 playstation 4 jailbreaking 2019 ps4 jailbreaking 6.20 ps4 filesystem with modules decrypted 6.20 ps4 jailbreaking 6.20 ps4 kernel dump 6.20 ps4 kernel offsets 6.20 ps4 user level exploit 6.20 ps4 userland exploit 6.20 ps4 webkit exploit 6.20-fs.zip cve-2018-4441 kernel_dump_620-1.zip lightningmods lokihardt orbis620.hpp playstation 4 jailbreaking 2019 ps4 6.20 jailbreaking ps4 6.20 user level exploit ps4 6.20 userland exploit ps4 6.20 webkit code execution exploit poc ps4 6.20 webkit exploit ps4 jailbreaking 2019 ps4 jailbreaking 6.20 ps4 user level exploit 6.20 ps4 userland exploit 6.20 ps4 webkit exploit 6.20 specterdev

Ps4 6.20 Jailbreak May 2019

Source: https://www.psxhax.com/threads/ps4-6-20-webkit-code-execution-exploit-poc-by-specterdev.6665/page-25

0 Response to "Ps4 6.20 Jailbreak May 2019"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel