Developer Aldo Vargas has released a significant upgrade to the PS5 UMTX Jailbreak exploit, originally developed by Idlesauce and based on the LUA implementation of Shahrilnet and n0llptr.

This new version integrates the latest payloads and components developed by leading figures in the homebrew scene: it includes the updated daemon payloads of John Tornblom, kstuff 1.3 and byepervisor by EchoStretch.

It also incorporates the latest version 2.0b of etaHEN from LightningMods and an updated version of ps5debug from GoldHEN.

Despite the updates, the technical structure of the exploit remains unchanged and is based on a use-after-free vulnerability within the PS5 browser’s WebKit engine.

This type of bug arises from an incorrect management of JavaScript or DOM objects: when a specially created web page frees up an object while maintaining a reference, it opens the possibility of manipulating the memory and overwriting sensitive data.

In the specific case of UMTX2, the flaw is exploited in combination with communication mechanisms such as pipes and socket IPv6, thus obtaining stable access to the console kernel.

The effectiveness of the exploit, however, stops at firmware up to version 5.50. Sony has implemented countermeasures both in the memory manager and in the structure of the heap in subsequent firmware, effectively neutralizing the vulnerability.

In addition, although WebKit has fixed the bug in the latest versions, the browser built into the PS5 does not receive independent updates, which still makes the exploit on outdated systems valid.

However, it is important to note that the use of this technique can cause instability and crash of the console, as well as violate the terms of use imposed by Sony.

Main Characteristics of the

  • Compatibility: Supports PS5 firmware versions from 1.00 to 5.50.
  • Payload Menu: Includes an interface for managing payloads.
  • PSFree 150b: Use the 150b version of PSFree exploit, developed by abc.
  • ELF Loader: Automatically loader ELF loader from ?john -tornblom.
  • Previous payload compatibility: Includes the ELF 9020 to support older payloads (not available in Webkit-only) mode.
  • Webkit-only mode: Offers a mode to send payload and clear the cache of applications through Webkit.

Access to the exploit

Exploit is hosted on two platforms:

  • The CloudFlare page:
    • Website: https://umtx2.pages.dev/
    • Average package (PKG): https://umtx2.ps5browser.pages.dev/umtx2.pages.dev.pkg – allows you to open the PS5 browser directly at the bypass link.
  • GitHub page:
    • Website: https://idlesauce.gitub.io/umtx2/
    • Average package (PKG): https://umtx2.ps5browser.pages.dev/umtx2.githubq.pkg
    • – same purpose, but for the GitHub website.

Changelog

  • Latest daemon payloads by John Tornblom.
  • Latest version of kstuff 1.3 from EchoStretch.
  • Last release of etaHEN 2.0B by LightningMods.
  • Latest byepervisor version by EchoStretch.
  • Update of ps5debug by GoldHEN.

Categorized in:

PS5

Tagged in:

, ,