PS4 Kernel Exploit 5.05 by Gamecrackers

Summary

Disable kernel write protection
Allow RWX (read-write-execute) memory mapping
Syscall instruction allowed anywhere
Dynamic Resolving (sys_dynlib_dlsym) allowed from any process
Custom system call #11 (kexec()) to execute arbitrary code in kernel mode
Allow unprivileged users to call setuid(0) successfully. Works as a status check, doubles as a privilege escalation.

Payloads Included

Vortex's HEN (Homebrew Enabler)
Mira

In this project you will find a full implementation of the second "bpf" kernel exploit for the PlayStation 4 on 5.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This exploit also contains autolaunching code for Mira and Vortex's HEN payload. Subsequent loads will launch the usual payload launcher.

This bug was discovered by qwertyoruiopz, and can be found hosted on his website here. The GitHub Pages site automatically generated from this repository should also work.

Patches Included
The following patches are made by default in the

kernel ROP chain:
Disable kernel write protection
Allow RWX (read-write-execute) memory mapping
Syscall instruction allowed anywhere
Dynamic Resolving (sys_dynlib_dlsym) allowed from any process
Custom system call #11 (kexec()) to execute arbitrary code in kernel mode
Allow unprivileged users to call setuid(0) successfully. Works as a status check, doubles as a privilege escalation.
Payloads included
Vortex's HEN (Homebrew Enabler)
Mira
Notes

AkkuElectronics

Search This Blog

PS4 Kernel Exploit 5.05 by Gamecrackers

Comments

Post a Comment