A fully implemented kernel exploit for the PS4 on 4.55FW
Switch branches/tags
Nothing to show
Clone or download
Latest commit bb0dfe8 Mar 1, 2018
Permalink
Failed to load latest commit information.
README.md Update README.md Feb 28, 2018
index.html Add files via upload Feb 27, 2018
kernel.js Added kdlsym patch + fixes Feb 28, 2018
loader.js Add files via upload Feb 27, 2018
rop.js Add files via upload Feb 27, 2018
syscalls.js Update syscalls.js Feb 28, 2018
userland.js Add files via upload Feb 27, 2018

README.md

PS4 4.55 Kernel Exploit


Summary

In this project you will find a full implementation of the "bpf" kernel exploit for the PlayStation 4 on 4.55. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, does not contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port 9020 and will execute them upon receival.

This bug was discovered by qwertyoruiopz, and can be found hosted on his website here.

Patches Included

The following patches are made by default in the kernel ROP chain:

  1. Disable kernel write protection
  2. Allow RWX (read-write-execute) memory mapping
  3. Syscall instruction allowed anywhere
  4. Dynamic Resolving (sys_dynlib_dlsym) allowed from any process
  5. Custom system call #11 (kexec()) to execute arbitrary code in kernel mode
  6. Allow unprivileged users to call setuid(0) successfully. Works as a status check, doubles as a privilege escalation.

Notes

  • Payloads from 4.05 should be fairly trivial to port unless they use hardcoded kernel offsets
  • I've built in a patch so the kernel exploit will only run once on the system, you can make additional patches via payloads.
  • A custom syscall is added (#11) to execute any RWX memory in kernel mode, this can be used to execute payloads that want to do fun things like jailbreaking and patching the kernel.

Contributors

Massive credits to the following: