PS4: Sleirsgoevy releases operational Webkit exploit for Firmware 9.00
Screenshot shamelessly taken from @YakuzaMink’s video
Developer Sleirsgoevy has refined his port of the Webkit FontFace Exploit, and made it fully operational (arbitrary Read/Write) for PS4 Firmware 9.00. Before you keep on reading and jump excitedly, please take the time to read the disclaimer section below.
Disclaimers
TL,DR: Do not update your PS4 just yet. Although this is an awesome technical breakthrough, this is a low reliability, usermode only exploit that for now is not useful to you as the end user. As always, just stay put on as low a firmware as you possibly can.
Only Firmware 9.00 is impacted, this cannot be ported to Firmwares 8.xx
This is a Webkit exploit that works only on Firmware 9.00. Firmwares under this (in particular 8.xx) are apparently “immune” to the vulnerability, according to PS4 Dev Wiki edits from CelesteBlue:
Might have been introduced in PS4 FW 3.50 according to dates (need to check). However the vulnerability cannot be exploited in some conditions depending on how WebKit was compiled. For example, on PS4 FWs 7.55-8.53, the FontFaceSet constructor returns with an exception that is propagated to JavaScript, preventing exploitation this way.
Low reliability in its current state
Although this could get refined in time, in my personal tests, I have failed to run the exploit to completion, after more than 50 attempts.
I’m also seeing reports from people on Twitter who are clearly not getting the expected result (even though they might be believing they are getting the exploit to work, due to the sheer amount of alert boxes that are being displayed in the process). I’ve only seen one confirmed report of success so far in all the screenshots I’ve seen shared by scene members.
This is “only” a Webkit exploit, there is no kernel exploit yet
This is of course the most important aspect here. A Webkit exploit alone is not “enough” for end users. Although in theory such a usermode exploit could allow for a few nice things including some not-too-demanding homebrew, in practice what the scene typically expects is a full Jailbreak.
In order to get a PS4 Jailbreak, this Webkit exploit would need to be coupled with a privilege escalation (kernel exploit), which we do not have at the moment. Although CTurt has hinted that something might come on that front, we currently do not know if his exploit will ever be disclosed, and it’s possible it’s been patched with 9.00
How to test and confirm the FontFace Exploit on your PS4
- In order to run this test, your console needs to be on firmware 9.00, but if you are on a lower firmware, read the “Disclaimers” section above and do not update your console. People on 8.xx won’t be able to test this, but it’s better to stay on a low firmware for now.
- Get the exploit from Sleirsgoevy’s github and put it on your local server, then point your PS4’s browser to the file (alternatively, point your PS4 to one of the public servers hosting the file such as https://kameleonreloaded.github.io/900Test/
- Click on the html button and wait
- You should see a series of Javascript alerts (click ok for each one). They are, in order:
- guessed fontface addr:…
- stringimpl leak:…
- fastmalloc.length =…
- jsvalue leak:…
- array256=…
- butterfly=…
- arrays[257].length=…
- addrof(null)=…
- Last but not least, a series of comma separated numbers
If you see the whole sequence of alerts, in particular the last one (comma separated numbers), congrats, the exploit worked for you! If it fails at any of the steps above (which would be visible by an error message such as “not enough memory”, or the browser not doing anything for a long amount of time), then your attempt failed, and you should reload the page and try again.
Below is the only example I’ve found of the exploit working to completion, thanks to @YakuzaMink:
It might take multiple attempts to get the exploit to work for you, there’s lot of randomness involved given the nature of the exploit. With that being said, don’t give up and try a few times before calling it a day 