Jailbreak Exploits

Firmware 5.05: /dev/bpf

The Berkeley Packet Filter device, in short for BPF, is a filter that provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received.

Hacker qwertyoruiopz found a Double Free vulnerability in this FreeBSD device which allows us to exploit the PlayStation 4 firmware up to 5.05. Hacker SpecterDev later released a detailed writeup for it. The vulnerability got "patched" (read: blocked off) in later firmwares for unprivileged processes - WebKit can no longer open it. The vulnerability in the BPF device remains unpatched.

Read Full Writeup
Firmware 4.55: bpf_filter

The Berkeley Packet Filter device, in short for BPF, is a filter that provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received.

Hacker qwertyoruiopz found a Double Free vulnerability in this FreeBSD device which allows us to exploit the PlayStation 4 firmware up to 5.05. Hacker SpecterDev later released a detailed writeup for it. The vulnerability got "patched" (read: blocked off) in later firmwares for unprivileged processes - WebKit can no longer open it. The vulnerability in the BPF device remains unpatched.

Read Full Writeup
Firmware 4.05: namedobj

Following a write up from fail0verflow, released in October 2017, fail0verflow managed to obtain a dump of the firmware 1.01 kernel, which not only included export symbols but also included full ELF symbols, an oversight that proved very beneficial through the method of reverse engineering. This vulnerability was also found and exploited by (at least) Chaitin Tech. This exploit was then patched in 4.06 after Chaitin Tech reported the bugs to Sony.

On 27th December 2017, SpecterDev implemented an exploit for 4.05 utilsing fail0verflow’s write up and qwertyoruiopz WebKit exploit as the entry point as the previously WebKit exploit no longer had RWX memory mapping positions due to the fact that JIT is now handled by a completely separate method, rendering this entry point useless.

Read Full Writeup
Firmware 1.76: sys_dynlib_prepare_dlclose

The web browser in PlayStation 4's 1.76 firmware utilises a revision of WebKit that turns out to be vulnerable to CVE-2012-3748. This was originally written for the Safari web browser but was ported over by nas and Proxima in 2014. This consequently allowed read and write access, arbitrarily, to the WebKit via the use of JIT (Just-in-time compilation).

Kernel access was obtained via the use of a kernel vulnerability known as BADIRET CVE-2014-9322 known to affect Linux and later also FreeBSD. This was fixed back in 2014 however the PlayStation 4's 1.76 firmware was found to still be vulnerable to BADIRET; this allowed firmware 1.76 to be fully exploited.

CTurt’s write up did not include a release of source code and only provided the necessary information which invited developers to put the pieces together. On March 24th 2016, Zer0xFF, with the help of bigboss and Twisted, completed the puzzle and released the source code for a proof of concept for the dlclose kernel exploit available for the public to download.

CTurt also provided a writeup, with qwertyuiop, detailing the analysis of exploit.

Read Full Writeup
Join SCE Party on Discord

If you're interested in the PlayStation 4 hacking scene and would like to receive the latest updates, consider joining our Discord server! You will be notified when new information is available.