What's new

News First PS5 userland exploit in the wild! (Webkit FrontFace)



[[email protected] ~]$
Beginning of An Odyssey Stickied Bug Finder
Reaction score
Multiple people have confirmed that Sleirsgoevy’s implementation of the Webkit FontFace exploit works on PS5.
It should be noted that the exploit works on the latest firmware 21.02-04.03.

While a webkit exploit in itself is not terribly useful for end users, but this is to my knowledge the first ever confirmed PS5 exploit, so this is pretty big news.

A Twitter user who goes by @a_koski_a has a video showing the exploit running to completion on firmware 21.01-03.21.00. That specific firmware update was released in July this year, so it’s a few iterations behind, but it’s was confirmed to be working on the current firmware!

You can see it here:

Another Twitter user, @ArdeeSantos3 has also confirmed with a video that firmware 21.02-04.02 is also impacted by the vulnerability.

Finally to top it off, there is a YouTube video showing PoC that the exploit works on the latest firmware (21.02-04.03), and you can see it below.

What does a PS5 Webkit exploit mean for the scene?​

Even something as small as a webkit exploit could open the door to some nice investigation of the PS5’s software internals. It would be fairly limited but could let us access some sections of the PS5’s RAM, and from there possibly fetch a few of the console’s libraries for reverse engineering. It’s unlikely a kernel exploit would be found from there, but one can dream.

How to test and confirm the FontFace Exploit on your PS5​

  1. Get the exploit from Sleirsgoevy’s github and put it on your local server, then point your PS5’s browser to the file (alternatively, point your PS5 to one of the public servers hosting the file such as https://kameleonreloaded.github.io/900Test/
    • Note: It’s a bit tricky to use the PS5’s browser since it is hidden…. you’ll want to follow this guide to get it to load, and then try to to click your way to the page you want to access.
  2. Click on the html button and wait
  3. You should see a series of Javascript alerts (click ok for each one). They are, in order:
    1. guessed fontface addr:…
    2. stringimpl leak:…
    3. fastmalloc.length =…
    4. jsvalue leak:…
    5. array256=…
    6. butterfly=…
    7. arrays[257].length=…
    8. addrof(null)=…
    9. Last but not least, a series of comma separated numbers
If you see the whole sequence of alerts, in particular the last one (comma separated numbers), congrats, the exploit worked for you! If it fails at any of the steps above (which would be visible by an error message such as “not enough memory”, or the browser not doing anything for a long amount of time), then your attempt failed, and you should reload the page and try again.

This is big news for the console modding scene as a whole! We're not completely dead yet!

I got my source from an article on wololo.net, posted by WOLOLO, and shortened/modified it a bit. This is fairly breaking news, and I haven't seen it posted here yet to my knowledge from a quick search. I didn't really add any of my own thought's here, mearly rather a repost. All credit for findings go to WOLOLO.
Last edited:
Top Bottom