Skip to content

Add PS4 9.xx/10.xx/11.0x/11.50 Support#4

Open
ArabPixel wants to merge 4 commits into
ntfargo:mainfrom
ArabPixel:main
Open

Add PS4 9.xx/10.xx/11.0x/11.50 Support#4
ArabPixel wants to merge 4 commits into
ntfargo:mainfrom
ArabPixel:main

Conversation

@ArabPixel

@ArabPixel ArabPixel commented Jun 27, 2026

Copy link
Copy Markdown

Currently, this is only a partial support in the hope that together we can complete it.
I have commented everything that is missing with a todo next to it.

There is still 82 todos as of writing this excluding PS5 case.
There is still 31 todos as of writing this execluding PS5 case.

What's missing:

  • ROP Gadgets that i couldn't find.
  • CSSFontFace relative offsets.

@fcplaystation13-sys

Copy link
Copy Markdown

I have been working on the ps5 case, similar issues to you i'm afraid.

@branchus

Copy link
Copy Markdown

I'm on 11.00, happy to test this on this firmware

@ArabPixel ArabPixel marked this pull request as ready for review June 29, 2026 15:01
@fcplaystation13-sys

Copy link
Copy Markdown

Found these from WebKit source analysis:

PS4 V1150: m_wrapper = 0x58 (8 bytes after m_clients at 0x50). Rest of V1150 offsets look correct.

PS5 exploit: sizeof = 0xc0, m_wrapper = 0x68, m_status = 0x7a (not 0xc8/0x70/0x8a). FeatureSettings changed from raw struct to Vector between WK-800 and WK-1200, shifting everything by 8 bytes.

ROP gadgets: Byte patterns — POP R10: 41 5A C3, POP R11: 41 5B C3, PUSH RAX;PUSH RBP: 50 55 C3. Find them with ROPgadget --binary libSceNKWebKit.sprx. Shortcut: measure delta between known gadgets on nearby FW, apply to missing ones.

@ArabPixel

ArabPixel commented Jun 29, 2026

Copy link
Copy Markdown
Author

Found these from WebKit source analysis:

PS4 V1150: m_wrapper = 0x58 (8 bytes after m_clients at 0x50). Rest of V1150 offsets look correct.

PS5 exploit: sizeof = 0xc0, m_wrapper = 0x68, m_status = 0x7a (not 0xc8/0x70/0x8a). FeatureSettings changed from raw struct to Vector between WK-800 and WK-1200, shifting everything by 8 bytes.

ROP gadgets: Byte patterns — POP R10: 41 5A C3, POP R11: 41 5B C3, PUSH RAX;PUSH RBP: 50 55 C3. Find them with ROPgadget --binary libSceNKWebKit.sprx. Shortcut: measure delta between known gadgets on nearby FW, apply to missing ones.

I know those from 11.50 are wrong, eitherway ufm42 has them so making a commit for that is kinda useless
you can pr and i can merge

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants