It’s been a big weekend for the PS5 and PS4 scenes, with progress being made on the BD-JB exploits for both consoles. None of these release represent a massive breakthrough, but each one shows significant hope, and stuff for you to try on the PS4 and the PS5.
Requirements and Disclaimer
- To run these exploits based on TheFloW‘s disclosure, you will need a Blu-Ray Burner, and some Blu-Ray discs, preferably rewriteable (a.k.a. BD-RE).
- The exploits have been reported to work on PS4 up to 9.04 included, and on PS5 up to 4.51 included. If you’re on firmwares above that, it’s likely you will not get them to work
Remember that there is no Jailbreak associated with these exploits yet (whether on PS5 or PS4), so this is only for minor tinkering right now. Don’t go and buy an expensive Blu-Ray burner expecting a Jailbreak for now!
PS5 BD-JB Implementation by psxdev
Developer psxdev (BigBoss) has released an implementation of the BD-JB for the PS5, based on TheFlow’s work and Sleirsgoevy’s PS4 implementation. Currently this release only implements one of the exploits of the chain, but is enough to start digging into the PS5 internals.
You can download the source code of this implementation here.
For those who don’t want to go through the compile process themselves, Zecoxao has shared an iso here.
This implementation currently only does one thing: it lists the content of /app0 on the screen. From there, people can start tinkering to do more stuff.
Sleirsgoevy updates his PS4 BD-JB implementation
Sleirsgoevy had released an implementation of the exploit chain for PS4. In the past few days, he’s added updates to his work. This new release seems to improve how the code handles payloads (better compatibility?)
From the Readme:
BD-JB reimplementation based on TheFlow's report and presentation. Implements loading arbitrary .bin payloads using vulnerabilities #2 (privileged constructor call), #3 (privileged method call), #4 (jit hack) from the report. Listens for payloads on port 9019. The first (and only) argument to the payload is the address of sceKernelDlsym, which can be used to resolve other symbols. It seems that libkernel_sys.sprx always has id 0x2001, and you can look up other libraries by getting the full list of handles and looking up name of each handle. You can't directly call syscalls due to missing kernel patches.
You can get this new release on the developer’s github here.
Payload tests by Zecoxao
Zecoxao has been sharing a bunch of test files, related to psxdev’s work, but also payloads, in particular for people to test on PS4 9.03/9.04.
For those of you who have burned Sleirsgoevy’s implementation, here are some payloads to test with it:
- This payload should display a simple Hello World
- FTP Server, work in progress (runs but rejects commands)
the PS4 IP is currently set to 192.168.1.24 and the PC logger IP is set to 192.168.1.11
PC listens to port 9023 while PS4 to FTP port 1337
— Control_eXecute (@notzecoxao) June 19, 2022
To avoid any confusion
- These are just work-in-progress files from various hackers, nothing can be categorized as “user friendly” at the moment, but if you want to understand how the scene makes progress on an exploit, you’re on the frontlines
- Blu-Ray Burner and Blu-Ray discs required for this. It will not work with DVDs! On the other hand, don’t jump the gun unless you really want to (see point above!)
- Sleirsgoevy’s implementation (PS4) accepts payloads on port 9019. Psxdev’s implementation (PS5) does not accept payloads, instead it has its own payload embedded. Don’t mix and match, it will not work. Also, PS4 payloads are generally likely to not work on PS5, and vice-versa. Again: it’s confusing, we know. Work in progress!
The post PS5/PS4 BD-JB releases: BD-JB implementation for PS5 by psxdev, Sleirsgoevy improves PS4 implementation, 9.03/9.04 tests,… appeared first on Wololo.net.