Skip to content
A fully implemented kernel exploit for the PS4 on 5.05FW
JavaScript Other
Branch: master
Clone or download
Latest commit 56acabc Aug 15, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs Create CNAME May 27, 2018
.nojekyll Create .nojekyll May 27, 2018
README.md Update README.md Jun 4, 2018
expl.js Add files via upload May 27, 2018
homebrew.js Add files via upload May 27, 2018
index.html Update index.html May 31, 2018
js_shellcode.py Cleaned up code a bit because blocksize is not needed Jun 4, 2018
kernel.js Update kernel.js Aug 11, 2018
mira.js Add files via upload May 27, 2018
rop.js Add files via upload May 27, 2018
syscalls.js Remove duplicate syscall May 31, 2018
userland.js Add files via upload May 27, 2018

README.md

PS4 5.05 Kernel Exploit


Summary

In this project you will find a full implementation of the second "bpf" kernel exploit for the PlayStation 4 on 5.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This exploit also contains autolaunching code for Mira and Vortex's HEN payload. Subsequent loads will launch the usual payload launcher.

This bug was discovered by qwertyoruiopz, and can be found hosted on his website here. The GitHub Pages site automatically generated from this repository should also work.

Patches Included

The following patches are made by default in the kernel ROP chain:

  1. Disable kernel write protection
  2. Allow RWX (read-write-execute) memory mapping
  3. Syscall instruction allowed anywhere
  4. Dynamic Resolving (sys_dynlib_dlsym) allowed from any process
  5. Custom system call #11 (kexec()) to execute arbitrary code in kernel mode
  6. Allow unprivileged users to call setuid(0) successfully. Works as a status check, doubles as a privilege escalation.

Payloads included

  1. Vortex's HEN (Homebrew Enabler)
  2. Mira

Notes

  • The page will crash on successful kernel exploitation, this is normal

Contributors

Massive credits to the following:

Additional Thanks

You can’t perform that action at this time.