- August 1, 2023
In this blog post, we’ll be discussing the recent release of ‘libhijacker’ by Astrelsky, a significant dev that is one of many who is paving the way for running homebrew on our beloved PS5 consoles. This breakthrough method has been eagerly anticipated, with prominent figures like Zeco and nullptr dropping hints about its potential. Let’s dive into the details!
Exploring the libhijacker
The libhijacker, released by Astrelsky earlier this week, marks a significant milestone in our journey towards enabling homebrew functionality on the PS5. Although it’s not yet capable of running homebrew applications, this release represents a crucial initial step. Further developments are still required to reach that stage, but the exciting aspect is that it offers a temporary solution to expand the possibilities of our PS5 beyond the current firmware exploits ranging from 3.0 to 4.51.
Understanding the Method
So, how does this method work? Astrelsky himself shed some light on the matter. The libhijacker functions by writing shell code into the PS5’s Redis server, which was previously accessible via a remote connection payload. By redirecting the control flow to this shell code, a new Redis server is spawned, erasing the creation of the new process and inserting an infinite sleep loop at the entry point. This process results in the creation of a Daemon background process, constantly running as an ELF loader on Port 9027. Interestingly, this technique is also known as a ‘process hollowing’ attack, wherein an attacker replaces legitimate code with malicious code. In this case, we repurpose it to execute homebrew code, facilitating the loading of custom ELF files over the network.
Advantages over Existing ELF Loaders
One might wonder why this ELF loader is superior to the current options provided by Specter and others. The answer lies in its status as a Daemon process, which operates independently of the web kit or BDJ disc player application restrictions. This freedom enables us to read and write almost anywhere in the userland memory space, bypassing memory protections. With these capabilities, we can patch shell cores, initiate game processes, assume control before startup, and explore a wide array of possibilities.
A Sneak Peek into the Process
While we eagerly await a more comprehensive tutorial and substantial advancements in this method, let’s briefly explore how it functions. For this example, we’ll assume you have an exploit running on your PS4, such as the recommended Blu-ray drive exploit. However, it should also work with other exploits like Specter’s and Slayer Garvey’s web kit-based exploits. Here’s a simplified breakdown of the process:
1. Obtain your PS5’s IP address.
2. Run the modified Blu-ray disc with the exploit, triggering the jailbreak process on your PS4.
3. Once successful, the ELF loader will run on Port 9020.
4. On your computer, set up the PS5 proof of concept by extracting the files and placing them in a designated folder.
5. Use the spawner.elf payload to hijack the writer’s process and create a background ELF loader on Port 9027.
6. Test the method by sending a test ELF payload to the hijacker process. If it executes without errors, it indicates a successful operation.
While we’re still in the early stages of this PS5 jailbreak development, the release of the libhijacker by Astrelsky brings immense potential for future homebrew endeavors. Although it may take some time for substantial homebrew applications to materialize. Check out the below video for more info. (Credit: MODDEDWARFARE)