Tutorial: running the PS5 4.03/4.50/4.51 exploit on Windows, with additional DNS security (telemetry blocking, etc...) - Wololo.net (2024)

If you have a PS5 running firmware 4.03/4.50/4.51 (or are planning to get one), it’s likely you’ll want to get the recently released Kernel exploit a try. Although it’s possible to use some of the (trusted) hosts that pretty much do all the work for you, it will be better, in particular in these early days, to run it locally on your own network if you want to start tinkering with it.

Trying the PS5 exploit is nice, running it yourself is better!

You can very easily give the 4.03/4.50/4.51 exploit a try on trusted hosts such as Echo Stretch’s server (http://es7in1.site/ps5jb/main.html) and Kameleon’s server (https://kmeps4.github.io/ps5_403/index.html). But these will not let you manipulate the files to your liking, which is pretty much required at this point if you’re trying to understand how the hack actually works, or if you’re looking to start doing “stuff” such as dumping files, etc…

To do this, you’ll want to run the exploit on a local server that you’ll host on your own computer, and you will need to use a bit of DNS trickery to access the server by clicking on the “user’s manual” on PS5. This might already sound complicated, but SpecterDev’s release pretty much does most of the heavy lifting for us.

Nevertheless, it personally took me almost a full day to get my Network to a state I like, so I’m hoping to save you some time here.

Here’s what we’ll do:

1. The PS5 will access the internet through a shared connection on a Windows PC (see picture below). The PC accesses the internet through Wifi, and then shares its connection with the PS5 through an ethernet cable.
2. The Windows PC will be running the FakeDNS server provided with SpecterDev’s release, as well as the accompanying http server to host the exploit
3. Last but not least, we will create a reasonable dns config file which blocks PlayStation’s telemetry and update urls: we wouldn’t want to send unnecessary information to Sony, or upgrade to a higher firmware by mistake

Note that there are many ways to achieve similar results, this is what I’ve found to be convenient for me, but if there are other ways that work better for you, go for it! I’d say the essential part is making sure you have full control of where the PS5 network requests end up, and being able to easily tweak the exploit to your liking moving forward.

Overall, my setup looks like this:

Step 1 – Sharing the Connection from PC with PS5

You’d think something that obvious is easy to achieve. Well, it is, the answer was just hard to find on the internet, so I’ll get straight to the point:

1. Windows Settings > Select theNetwork & Internet option > Change Adapter options > Find the Network you want to share (in my case, my wifi), and select “properties”
2. Select the Sharing tab, and Click thecheckboxfor “Allow other network users to connect through this computer’s Internet connection.”
3. From here, you might have a dropdown menu that lets you select which network adapter the request will be coming from (in my case, the ethernet connection). For me, that dropdown did not show up, so I had nothing to check.

You can check this whole process with pictures here.

Your PC is now ready to serve as a bridge between your PS5 and the internet. Yay!

A few notes:

• Enabling this “connection sharing” on my wifi did a bunch of weird changes to my ethernet connection. Specifically, windows assigned it a static IPv4 address, outside of my regular subnet mask, technically creating a different sub network. Maybe that’s by design, maybe that’s specific to my case, I have no idea, but that information is quite critical: check your ethernet adapter properties (the port on your PC you will be connecting your PS5 to), and check your ipv4 address. You might also find it by typing ipconfig in the windows command line (cmd). In my case, that ethernet IP was 192.168.137.1. That’s not particularly relevant for you but you will see it in a lot of my examples, so remember to replace that value with your own ethernet adapter’s IP.
• This whole setup will also allow your Windows PC to work as a DHCP server, meaning the internet setup on your PS5 will be a breeze. At least that’s how it ended up working for me.

Step 2 – Connecting the PS5 (Verification Step)

You can skip this step for now (and get back to it after everything else is done) if you trust your Network skills.

In theory it’s not a great idea to already plug the PS5 into the network, especially after I’ve warned you about all that telemetry and the risk to update by mistake, etc… (oh, by the way, you of course deactivated the options to auto-update the firmware on your PS5, right? Right? Settings > System > System Update Software and Settings. Come on, do it now if you haven’t already.)

You don’t need this step but it’s pretty important to make sure things work so far before we proceed with the rest.

So, we’re going to setup the internet connection between our PS5 and our PC to make sure everything’s fine so far.

1. Make sure that the PC runs and is connected to the internet via your wifi connection
2. Make sure that the PS5 runs and is connected to the PC via a LAN cable (see my awesome schema above)
3. On the PS5, go to Settings > Network > Settings > Set Up Internet Connection
4. You should be able to create or edit something named Wired LAN 1 (or a similar name… the fact that it’s the ethernet, not Wifi, is pretty much key here)
5. Set everything to automatic. Yeah, I know, I’m shocked too. I only have basic network knowledge but I assume this means your Windows PC now acts as a DHCP server, as the default Gateway, and as your DNS…?

   

   Sometimes it do be simple like that

6. Go back to Network > Connection Status > Test Internet Connection, and make sure all tests (all 2 of them) succeed.

So, err, if step 6 is successful, congrats, you’re now accessing the internet on your PS5 by using your laptop as a bridge to your router. That’s great. You also shared a bunch of telemetry info with Sony’s servers, which isn’t great but not a big deal at this point.

If something fails at that point, double check everything: is your connection sharing enabled on the PC’s Wifi? Is the LAN cable plugged into both the PC and the PS5? Try maybe hardcoding your ethernet IP as the default gateway and default DNS server in the PS5 settings? Look, I’m not sure, it works for me with the defaults, ok?

Step 3 – Get the exploit and run the HTTP Server

Alright, your little Network is ready between the PS5 and the PC, now we’ll get the necessary files for the exploit, and make sure we can run them as expected.

1. Download and install Python 3 if you don’t have that already
2. Download the PS5 exploit from SpecterDev’s github. Don’t be shy, and grab the whole archive (if link doesn’t work, the github is at https://github.com/Cryptogenic/PS5-4.03-Kernel-Exploit)
3. Extract the exploit files to a convenient location
4. in the windows command line go to the folder where you extracted the exploit, and run python host.py . This should start your web server that will host the exploit

   

   the https server delivering the exploit files

5. Verification time! open your web browser on your PC, type https://[your ethernet IP here]/document/en/ps5 and you should be greeted with the exploit (or, rather, the exploit trying to run but just being a loop because that webkit exploit doesn’t work on your PC browser). Your browser might complain about an untrusted connection (because that’s an https server running without the proper certificate) but go ahead and proceed. In my case, https://192.168.137.1/document/en/ps5

By this point if everything went smoothly, you’ve managed to install python and most of the tools to run the exploit. I’m leaving the DNS server last but hopefully it shouldn’t be too difficult.

Step 4 – Create a DNS config file which redirects the user’s manual page + blocks telemetry, then run the FakeDNS Server

The config file for the DNS server is a text file containing a series of urls or ip address, followed by where they should be redirected to. At the very minimum, for the exploit to work, you’ll want to create a file that contains the following line:

A ^manuals\.playstation\.net [YOUR ETHERNET IP HERE]

so in my case

A ^manuals\.playstation\.net 192.168.137.1

(Btw the letter A at the beginning of each line is not a typo, folks, go read a bit about DNS if you want more details).

What this will do (once the DNS Server is up and running) is point your PS5 to your own server when it tries to access its user manual. Little does your PS5 know, that instead of an instruction manual, it will display a page with the exploit. Machiavellian!

Now we actually want to take that a step further, and add a bunch of rules in there. Some urls we will redirect to our own server for future use (for example to tell the PS5 that the latest and greatest firmware is 4.03, which is one additional step to avoid updating by mistake), and others we will simply block to avoid sending telemetry and other data to Sony’s servers.

I’ve shamelessly copy pasted the rules from Al-Azif’s PS4 exploit host with a minor modification (added ps5 to the list of update urls). To be honest I’m pretty sure they’re not all necessary (notice some Nintendo stuff in there?) but I didn’t want to have to think too hard about each one, so I copied everything.

There are two kinds of urls here, those that we redirect to our server (replace 192.168.137.1 with your own IP!) and those we send to the void (0.0.0.0, keep as is).

#RedirectA ^the\.gate 192.168.137.1A ^www\.playstation\.com 192.168.137.1A ^manuals\.playstation\.net 192.168.137.1A ^(get|post)\.net\.playstation\.net 192.168.137.1A ^(d|f|h)[a-z]{2}01\.(ps5|ps4|psp2|psv)\.update\.playstation\.net 192.168.137.1A ^update\.playstation\.net 192.168.137.1A ^ctest\.cdn\.nintendo\.net 192.168.137.1#BlockA ^(.*\.)?207\.net 0.0.0.0A ^(.*\.)?akadns\.net 0.0.0.0A ^(.*\.)?akamai\.net 0.0.0.0A ^(.*\.)?akamaiedge\.net 0.0.0.0A ^(.*\.)?cddbp\.net 0.0.0.0A ^(.*\.)?ea\.com 0.0.0.0A ^(.*\.)?edgekey\.net 0.0.0.0A ^(.*\.)?edgesuite\.net 0.0.0.0A ^(.*\.)?llnwd\.net 0.0.0.0A ^(.*\.)?playstation\.(com|net|org) 0.0.0.0A ^(.*\.)?ribob01\.net 0.0.0.0A ^(.*\.)?sbdnpd\.com 0.0.0.0A ^(.*\.)?scea\.com 0.0.0.0A ^(.*\.)?sonyentertainmentnetwork\.com 0.0.0.0A ^(.*\.)?nintendo\.net 0.0.0.0

1. Copy/paste the above in a text file that you’ll name dns.conf (the name doesn’t matter as long as you pass it correctly as a parameter to the fakeDN server) in the same folder where all the python scripts of the exploit are (in particular fakedns.py).
   • (Note that except for the manual one, none of the redirects actually do anything at the moment, that’s something which will need to be done in the future, or maybe for those adventurous enough to run the exploit on Al-Azif’s server, you might be able to leverage the code he has that handles a lot of these redirects.)
2. You should now be ready to run the DNS Server, by typing in the windows command line: python fakedns.py -c dns.conf
   • In my case the DNS server refused to start at that point, telling me something else might be using port 53. I fixed this issue by specifying I wanted that DNS server to run only for my ethernet port: python fakedns.py -c dns.conf -i 192.168.137.1
3. If the FakeDNS server runs as expected, it will message you saying it’s parsed 20 or so rules. You’re good to go!

Step 5 – Tying it all up together, launching the exploit

You should have your PC connection shared with your PS5 (what we did in Steps 1 and 2 above), and two command line windows open: one running the https server with the exploit, and the other running the FakeDNS server (Steps 3 and 4 above).

1. Now’s the right time to reboot your PS5 if it was still on (just to make sure we have a cleared cache), and maybe go back to Step 2 above if you had skipped it earlier.
   • Again, this whole affair feels like magic to me, but by using the automatic settings on the PS5 network configuration, the PS5 automatically hits the DNS server running on my PC. This is visible almost instantly with the FakeDNS command line outputting a bunch of messages telling me the PS5 is going through it. That’s the PS5 trying to send some telemetry info to Sony.
   • You’ll want to make sure the DNS is saying the urls are matched. If it says unmatched, it means the PS5 is correctly going through the FakeDNS server, but that the dns.conf file has some issue. If you see no prompt at all in the DNS window, it might mean the PS5 is somehow not using your DNS server… you’ll have to troubleshoot.
2. go to Settings > User’s Guide &… > User’s Guide > User’s Guide.

If everything works as planned, the PS5 will complain about an unsecure connection (click yes to proceed) and you should see the exploit loading.

In my screenshot above, the exploit is not succeeding. That’s because my own PS5 is still on firmware 1.xx (which is not compatible with the webkit exploit, or at least not in its current form), and I wanted to set everything up Network-wise before updating the console. But I now have everything set up to actually run it correctly.

Step 6 – Running a binary through the Elf Loader

Since version 1.01, the exploit released by SpecterDev runs an Elf Loader upon completion. You can send any compatible ELF file to port 9020 (using e.g. Netcat GUI) and it should run. You can for example try the PS5 FTP Server, a popular solution to confirm that everything is working as expected on your end.

Conclusion – Taking it further

That’s it. It’s not particularly complicated but for some reason it took me a while to find a setup I liked. As I’ve stated there are many ways to setup your network in a way that lets you block unwanted requests from your PS5, and giving you control of the files of the exploit.

SpecterDev’s release has additional python scripts that you can look into, including one that lets your run a minimal RPC server to issue basic read/write commands to the PS5, or even dump files. You can start using these tools to dig into the insides of your PS5. You can also look into the exploit files to see how SpecterDev’s implementation ties to the original disclosure by TheFloW