Skip to content

Usermode ELF injection on the PlayStation 5 #1405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Usermode ELF injection on the PlayStation 5 #1405

wants to merge 1 commit into from

Conversation

carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Scope: The post documents a complete, reproducible method for usermode ELF injection on PlayStation 5 (PS5) processes. It leverages FreeBSD internals, kernel read/write (R/W) primitives from public exploits (latest firmware reported exploitable: 10.01, status as of Sep 3, 2025), vm_map manipulation to grant executable pages, and ptrace-based remote function invocation to map and run arbitrary ELFs inside target processes. It ships working code, offsets, constants...

🔧 Technical Details

Credential patch for debugging: With a kernel write primitive, locate the current struct proc in allproc, then write 0x4800000000010003 (PTRACE_AUTHID) to proc->p_ucred + 0x58. This grants ptrace/mdbg rights so the injector can suspend threads, read/write memory, and set registers in target processes.


Bypass RW-only user mappings: Traverse the target’s vm_map (linked list or BST) to find desired vm_map_entry objects and set protection |= PROT_EXEC. This converts RW pages to RX/RWX as needed, enabling staging code or loader thunks even when mmap would normally prohibit executable pages.


Ptrace remote function invocation: Implement an RFI wrapper that pauses a target thread, saves context, writes registers (RIP/arguments) to point at the desired function (e.g., elfldr routines), resumes to execute, then restores the origina...

🤖 Agent Actions

I analyzed the blog post and the HackTricks repository and found there was no existing page covering Unix/BSD usermode injection via FreeBSD ptrace with kernel data-only writes, vm_map PROT_EXEC flipping, and in-process ELF mapping—especially in the PS5 context. The closest material lives under macOS Process Abuse (Mach task-port based injection and IPC), but nothing on FreeBSD ptrace-based RFI or vm_map manipulation.

What I did:

  • Created a new technical page under macOS Process Abuse (best matching place for Unix/BSD process/code injection content already in HackTricks):

    • src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/freebsd-ptrace-rfi-vm_map-prot_exec-bypass-ps5.md
    • It includes:
      • Kernel data-only access to enumerate processes via allproc
      • Credential patch for debugger ability (ucred authid write)
      • Bypass of RW-only user mappings via vm_map entry protection |= PROT_EXEC
      • ptrace-based Remote Function Invocation (RFI) flow for in-process calls
      • ELF mapping with elfldr and stager thread with int3 detach
      • End-to-end injection pipeline (NineS server + Python client)
      • Notes on PS5 hypervisor mitigations (XOM, CR0.WP/CR4.SMEP vmexit) and constraints
      • Public tooling links and a Reference section including the blog URL

  • Linked the new page from the main macOS Process Abuse README with a clear subsection:

    • Added “FreeBSD/PS5 ptrace RFI and vm_map PROT_EXEC bypass” including a brief description and an internal reference to the new page.

Files modified/created:

  • Created:
    • src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/freebsd-ptrace-rfi-vm_map-prot_exec-bypass-ps5.md
  • Modified:
    • src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md
      • Inserted a new subsection linking to the new page just before the Detection section.

Notes:

  • I avoided creating a new generic-hacking section and instead placed this under Process Abuse, which already hosts related content.
  • I preserved existing content and structure, used proper formatting and code blocks, added a References section at the end of the new page, and ensured internal links and banner includes are correct.

No other overlapping or duplicate content was found, so no other updates were necessary.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

  • searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

Add content from: Usermode ELF injection on the PlayStation 5
0738933 
- Remove searchindex.js (auto-generated file)
@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://reversing.codes/posts/PlayStation-5-ELF-Injection/

Content Categories: Based on the analysis, this content was categorized under "Generic Hacking > Process/Code Injection (Unix/BSD) > FreeBSD ptrace RFI and vm_map PROT_EXEC bypass (PS5 case study)".

Repository Maintenance:

  • MD Files Formatting: 877 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@carlospolop