Exploit Chains
Jump to navigation
Jump to search
This page presents a compilation of exploit chains that utilize various Vulnerabilities identified on the PS5. It outlines the current functionalities of different potential and complete exploit chains for specific firmware versions.
| System Software Version | Hardware requirement | Hypervisor Exploit | Kernel Exploit | Usermode Exploit | Exploit Chain Implementation | Capability |
|---|---|---|---|---|---|---|
| <=2.70 | various | flatz's | umtx UaF | any usermode exploit | Unreleased by Flatz | Full Access to the system, HEN, Platform Secure Processor dump |
| <=2.70 | various | Byepervisor | umtx UaF | any compatible usermode exploit: WebKit loadInSameDocument or BD-JB or Lua escape from PS4 disc-based game savedata | Byepervisor by Specter | Full Access to the system, HEN |
| <=4.03 | USB storage media | N/A | exFAT Driver Heap Exploit There is no implementation because of the difficulty in writing the exploit without a real-time kernel dump or at least kASLR defeat. The proof of concept is a kernel panic when plugging in the drive and using the console for about a minute. | any compatible usermode exploit | N/A (PS4 uses pOOBs4 by ChendoChap) | kernel panic only |
| 3.00-4.51 | HTTP server | N/A | IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) | WebKit loadInSameDocument | need to mix Cryptogenic's Implementation and PsFree implementation by abc | Elf Loader |
| 3.00-4.51 | HTTP server | N/A | IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) | WebKit CSSFontFaceSet | Cryptogenic's Implementation | Elf Loader |
| 3.00-4.51 | BD reader for PS5 + BD writer + BD-RE | N/A | IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) | BD-JB | ps5-invoke-native by john-tornblom, bd-jb by TheFloW | Native code execution within Blu-ray context |
| 3.00-4.51 | BD reader for PS5 + BD writer + BD-RE | N/A | IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) | PS4 disc-based game save data exploit that hijacks the LUA interpreter | Lua usermode ROP working but not chained yet with ipv6 UaF | Native code execution within Blu-ray context |
| 3.00-4.51 | HTTP server | N/A | umtx UaF | WebKit CSSFontFaceSet | WebKit implementation for PS5 1.00-5.50 chained with CSSFontFaceSet by Specter | Elf Loader on 1.00-4.51, ROP on 5.00-5.51 |
| 1.00-5.50 | HTTP server | N/A | umtx UaF | WebKit loadInSameDocument | WebKit implementation for PS5 1.00-5.50 chained with PS Free by Specter | Elf Loader on 1.00-4.51, ROP on 5.00-5.51 |
| 1.00-5.50 | BD reader for PS5 + BD writer + BD-RE | N/A | umtx UaF | BD-JB2 | [1] based on JAVA PoC by flatz | Native code execution within Blu-ray context |
| 1.00-5.50 | vulnerable game in disc or PS Store version + exploit game save data on the SSD | N/A | umtx UaF | PS4 disc-based game save data exploit that hijacks the LUA interpreter | [2] | Elf Loader |
| 6.00-7.61 | BD reader for PS5 + BD writer + BD-RE | N/A | umtx UaF + GPU DMA copy | BD-JB2 | [3] based on JAVA PoC by flatz | Native code execution within Blu-ray context |
| 6.00-7.61 | vulnerable game in disc or PS Store version + exploit game save data on the SSD | N/A | umtx UaF + GPU DMA copy | PS4 disc-based game save data exploit that hijacks the LUA interpreter | [4] | Elf Loader |
| 6.00-7.61 | HTTP server | N/A | umtx UaF + GPU DMA copy | WebKit vulnerabilities not yet found | N/A (WebKit vulnerabilities only lead to OOM as of now) | Elf Loader |