PSFree icon indicating copy to clipboard operation
PSFree copied to clipboard

Published 20 hours ago verified publisher icon kmeps4

Possible reason for crashing

Open mrdude2478 opened this issue 5 months ago • 0 comments

Hi, I was messing about looking at the latest code and I noticed this:

I commented out the binloader function (so it would never run being as you are also calling the payload injection code anyway) and cleared my cached data from the ps4. Then rebooted.

If the psfree exploit works straight away and the ps4 gets exploited, goldhen payload injection code works good now (never crashes) and goldhen gets loaded (without ever running runBinLoader() function called from "async function kexploit()").

If the psfree fails to exploit, runBinLoader(); function gets called in "async function kexploit()", this seems to then run binloader code even if the exploit isn't running properly.

Anyway never calling runBinLoader() function seems to never give me a kernel panic and the ps4 never crashes. If the exploit works first time the goldhen is loaded. If not and runBinLoader() function is not called, only chain900 and a line under it as shown in the console information, but without crashing the ps4. So it seems that running runBinLoader() function is where the kernel panic is happening sometimes.

Furthermore it seems that when running async function kexploit(), it seems to think the console exploit has been successful when it hasn't been, so when you get to here:

if (localStorage.ExploitLoaded === "yes" && sessionStorage.ExploitLoaded != "yes") {
        runBinLoader(); //crash happens here.
        return new Promise(() => { });
    }

You're trying to run the binloader code and this is where the crash happens. When you comment out the runBinLoader(); line you can see on the console that you're not fully exploited yet when you get to that point in the code.

Changing the above to:

if (localStorage.ExploitLoaded === "yes") {
        //runBinLoader();
        return new Promise(() => { });
    }

Exploit fail/crash also usually happens in this section:

log('\nSTAGE: Double free SceKernelAioRWRequest');
        const [pktopts_sds, dirty_sd] = double_free_reqs1(
            reqs1_addr, kbuf_addr, target_id, evf, sd_pair[0], sds,
        );

Putting a try/catch in the above code section gives the error that variable pktopts_sds is not found when it gets to the next section for getting read/write - so maybe it's failing with something on this line:

const [pktopts_sds, dirty_sd] = double_free_reqs1(reqs1_addr, kbuf_addr, target_id, evf, sd_pair[0], sds);

mrdude2478 avatar May 31 '25 13:05 mrdude2478