Editing Exploit Chains

This page presents a compilation of exploit chains that utilize various [[Vulnerabilities]] identified on the PS5. It outlines the current functionalities of different potential and complete exploit chains for specific firmware versions.

{| class="wikitable"
|+
!System Software Version
!Hardware requirement
!Hypervisor Exploit
!Kernel Exploit
!Usermode Exploit
!Exploit Chain Implementation
!Capability
|-
|<=2.50
|none
|Rumored [https://www.psxhax.com/threads/flat_z-confirms-ps5-hypervisor-exploitation-from-ps4-save-game.16063/]
|No need for a kernel exploit
|any usermode exploit. Flatz uses a PS4 disc-based game save data exploit that hijacks the LUA interpreter.
|Unreleased by [https://github.com/flatz Flatz]
|Full Access to the system, Platform Secure Processor dump
|-
|<=4.03
|USB storage media
|N/A
|[[Vulnerabilities#FW%20%253C%3D%204.03%20-%20exFAT%20driver%20heap-based%20buffer%20overflow|exFAT Driver Heap Exploit]] There is no implementation because of the difficulty in writing the exploit without a real-time kernel dump or at least kASLR defeat. The proof of concept is a kernel panic when plugging in the drive and using the console for about a minute.
| any usermode exploit
|N/A (PS4 uses [https://github.com/ChendoChap/pOOBs4 pOOBs4 by ChendoChap])
|N/A
|-
|3.00-4.51
|none
|N/A
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS UaF (CVE-2020-7457)]]
|WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]]
| need to mix [https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation] and PsFree implementation by abc
|Elf Loader
|-
|3.00-4.51
|none
|N/A
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS UaF (CVE-2020-7457)]]
|WebKit [[Vulnerabilities#FW_3.00-4.51_-_WebCore::CSSFontFaceSet_vulnerabilities_leading_to_usermode_ROP_code_execution|CSSFontFaceSet]]
|[https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation]
|Elf Loader
|-
|3.00-4.51
|BD reader for PS5 + BD writer + BD-RE
|N/A
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS UaF (CVE-2020-7457)]]
|[[Vulnerabilities#FW_%3C=_4.51_-_BD-JB_-_Five_vulnerabilities_chained_by_TheFloW|BD-JB]]
|[https://github.com/john-tornblom/bdj-sdk/tree/master/samples/ps5-invoke-native ps5-invoke-native by john-tornblom], [https://github.com/TheOfficialFloW/bd-jb bd-jb by TheFloW]
|Native code execution within Blu-ray context
[https://github.com/john-tornblom/bdj-sdk/tree/master/samples Here are some functions by john-tornblom]
|-
|1.00-5.50
|none
|N/A
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]]
|N/A (PsFree must be ported based on ChendoChap's implementation of the 4.51 CSSFontFaceSet exploit)
|Elf Loader
|-
|6.00-7.61
|none
|N/A
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|WebKit [[Vulnerabilities#FW_6.00-8.60_-_JSC_DFG_Abstract_Intepreter_clobberWorld_Type_Confusion_(no_CVE)_leading_to_arbitrary_RW|clobberWorld]] or [[Vulnerabilities#FW_6.00-9.60_-_Unknown_heap_and_string_overflow_(no_CVE)_leading_to_crash|unknown heap and string overflow]]
|N/A (WebKit exploit only giving OOM as of now)
|Elf Loader
|-
|1.00-7.61
|BD reader for PS5 + BD writer + BD-RE
|N/A
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|[[Vulnerabilities#FW_%3C=_7.61_-_BD-JB2_-_Path_traversal_sandbox_escape_by_TheFloW|BD-JB2]]
|PoC by flatz
|Native code execution within Blu-ray context
|-
|1.00-7.61
|vulnerable game in disc or PS Store version + exploit game save data on the SSD
|N/A
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|PS4 disc-based game save data exploit that hijacks the LUA interpreter
|LUA PoC by flatz but the exploit game save data is missing
|Elf Loader
|}