PS5 Exploit Guide

Inaki · 2026-06-03T10:28:00+0100

BobaFett_UK said:
Some Linux news here from the good doctor..

Post automatically merged: Yesterday at 8:56 AM

Also just seen this X post re an xfat image builder...

I just tried using exFAT builder 3.3.0 and creating an ffpfsc from a backup folder:

After like 2 hours or so the progress is at 4% Build exFAT Copying files. No disk activity and no CPU activity, the .exfat file in the target directory is there, not sure if contents are already there or not... I used HIEW to have a look and first 3000h bytes have common exFAT boot sectors and records and so on ( then a MB and a bit more of 00s and at offset 001175CC some 32bit numbers starting at 00005D74 and incrementing to 00044376 and seems marked ending with a following FFFFFFFF at offset 002100DD8 then some tables, then some KBs of 00s, then a new similar table... ), TLDR: not sure if this is just an initialized exFAT image or it has been written the files into it.

EDIT: There is also a virtual drive which I assume is created by OSFMount which is 88.1GB total and 40.4GB Free... so it seems it was more than initialized, but not quite finished... inside this drive there is 98441 files, 15996 folders, 45.6GB. The origin backup folder is 223239 files, 19680 folders, 82.0GB.

Anyway, just wanted to describe the status in case it helps, I'll delete the target and manually make an exfat and then convert to ffpfsc later today...

BobaFett_UK · 2026-06-03T10:36:27+0100

It sounds like these types of compression techniques need time to be optimised for speed and size. I also expect it's just a matter of time before the smaller game dumps appear on the usual sites so will save us time and headache compressing them ourselves...

xalfie · 2026-06-03T10:50:11+0100

nanoDNS updated to version v0.3

https://github.com/drakmor/nanoDNS

Inaki · 2026-06-03T11:01:17+0100

xalfie said:
nanoDNS updated to version v0.3

https://github.com/drakmor/nanoDNS

Seems like no changes for the PS5 version.

BobaFett_UK · 2026-06-03T11:03:09+0100

xalfie said:
nanoDNS updated to version v0.3

https://github.com/drakmor/nanoDNS

Good find! I used the v0.2 yesterday for the 1st time... So my primary DNS is set to 127.0.0.2 and then i load nandns first via the payload manager and then whatever payload i want next.... Have to say i do like the itsPLK payload manager... but he needs to improve it in some areas to make the workflow better..

Post automatically merged: Yesterday at 11:03 AM

Inaki said:
Seems like no changes for the PS5 version.

Well what's the point of us using it then?

Inaki · 2026-06-03T11:08:53+0100

BobaFett_UK said:
Good find! I used the v0.2 yesterday for the 1st time... So my primary DNS is set to 127.0.0.2 and then i load nandns first via the payload manager and then whatever payload i want next.... Have to say i do like the itsPLK payload manager... but he needs to improve it in some areas to make the workflow better..

Post automatically merged: Yesterday at 11:03 AM

Well what's the point of us using it then?

Nah, it's fine, the new version fixed ( or made it compatible on higher PS4 fw versions ) the PS4 binary, it seems, nothing for the PS5 binary, but anyway, good to be up to date... we don't need to update it until a PS5 change happens, I guess.

HS2005 · 2026-06-03T11:24:11+0100

We will see how things move from here.

cloudfe · 2026-06-03T11:24:22+0100

I have a question on transfer speeds.

I recently moved a 165Gb exfat to the internal storage via FTP (both my Mac and my Phat PS5 were connected to a powerline via ethernet cables Cat.5E). The transfer speed started at around 5.2Mb/s and ended up around 4.8Mb/s. It took 9 hours.

I then tried again - this time with a Kingston XS1000 (declared transfer speed up to 1050MB/s) - and the transfer speed stayed between 39 and 36Mb/s. It took 1 hour. I made sure to use the usb port in the back of the PS5.

In both cases, these transfer speeds seemed quite slow to me.
Is this normal? Am I missing something?

cherryduck · 2026-06-03T11:24:29+0100

Inaki said:
I just tried using exFAT builder 3.3.0 and creating an ffpfsc from a backup folder:

After like 2 hours or so the progress is at 4% Build exFAT Copying files. No disk activity and no CPU activity, the .exfat file in the target directory is there, not sure if contents are already there or not... I used HIEW to have a look and first 3000h bytes have common exFAT boot sectors and records and so on ( then a MB and a bit more of 00s and at offset 001175CC some 32bit numbers starting at 00005D74 and incrementing to 00044376 and seems marked ending with a following FFFFFFFF at offset 002100DD8 then some tables, then some KBs of 00s, then a new similar table... ), TLDR: not sure if this is just an initialized exFAT image or it has been written the files into it.

EDIT: There is also a virtual drive which I assume is created by OSFMount which is 88.1GB total and 40.4GB Free... so it seems it was more than initialized, but not quite finished... inside this drive there is 98441 files, 15996 folders, 45.6GB. The origin backup folder is 223239 files, 19680 folders, 82.0GB.

Anyway, just wanted to describe the status in case it helps, I'll delete the target and manually make an exfat and then convert to ffpfsc later today...

exFAT builder only uses 1 CPU core to create an ffpfsc which takes forever. You could try my batch script if you're on Windows. Make sure mkpfs is installed (pip install mkpfs) and then just drag and drop your image onto the bat file.

xalfie · 2026-06-03T11:30:12+0100

HS2005 said:
View attachment 576281

We will see how things move from here.

if the fpkg is really near, that apr emu will be obsolete before to born...

HS2005 · 2026-06-03T11:46:58+0100

Updated release

ps5debug-NG v1.2.6 (rev1)

v1.2.5 added initial support for FW 8.x-13.x. v1.2.6 makes it actually functional and adds hardware verification across most firmwares.

Firmware support - 8.x through 13.x now working

Hardware-verified: FW 4.x, 6.x, 8.x, 9.x, 10.x and 12.x - poke, software + hardware breakpoints, all watchpoint types, title ID, content ID and version confirmed working.
FW 3.x, 5.x, 7.x, 11.x and 13.x: supported but not yet fully tested. The fixes are firmware-agnostic by design. Feedback welcome.

Memory write (poke) on FW 8.40+

Pokes silently failed on FW ≥ 8.40 (the kernel blocks the old mdbg write path there). Writes now go through a DMAP page-table walk, so poking, cheats and patches work again on 8.40-13.x. (mdbg stays the path on FW ≤ 8.x.)
Newly allocated memory is pre-faulted so writes land correctly.

Breakpoints & watchpoints on FW 9.x-13.x

Hardware breakpoints/watchpoints were silently doing nothing on 9.x+ - now enabled across 9.00-13.20.
Software (INT3) breakpoints now write correctly on 9.x+ (same DMAP fix as poke).
Fixed breakpoints/watchpoints that fired a few times then stopped on FW 11/12 (the debug-status register wasn't being cleared between hits).

Title ID / Content ID / Version - now firmware-agnostic

Game title ID, content ID and version are detected by scanning the process instead of per-firmware offsets (which shifted at 8.x and 12.x). Reaper / Cheater again show the running game correctly on newer firmware.

Fixed a console crash on client disconnect (SIGPIPE)

Closing the client mid-operation (e.g. during a scan) could crash the whole console by killing SceShellCore. Now suppressed - disconnecting is safe. Affects all firmwares.

Load notification now shows the firmware version

The "loaded" popup now includes a Firmware: x.yy line.

Credits

Added @Pharaoh2k to the special thanks.

Documentation

Rewrote PROTOCOL.md to match the current sources (every command, packet struct, status code and enum), and corrected/expanded the README firmware table with per-release verification status.

Known caveats

FW 3.x, 5.x, 7.x, 11.x and 13.x are supported and quite likely fully working but not yet fully hardware-tested - please report results.
FW ≤ 5.x behavior is otherwise unchanged.

NOTE: The previously attached binary has been replaced by ps5debug-NG_v1.2.6-revision1.elf

Revision 1 (ps5debug-NG_v1.2.6-revision1.elf)

Fixes memory writes (poke) and software breakpoints on FW 8.40 / 8.60 - the DMAP write path now engages from FW 8.40 instead of 9.00 (a user reported "can't write to memory" on 8.40). 9.x+ already worked and FW < 8.40 is unchanged, so this is the only change from the initial v1.2.6 ps5debug-NG_v1.2.6.elf binary which has been replaced.

Link: https://github.com/OpenSourcereR-dev/ps5debug-NG/releases/tag/1.2.6

Post automatically merged: Yesterday at 11:53 AM

xalfie said:
if the fpkg is really near, that apr emu will be obsolete before to born...

I hope so but lot of the codes that have been written for the apr and DLC emu is also being used within fpkg.

Post automatically merged: Yesterday at 12:35 PM

So I did some testing with ps5debug-NG v1.2.6 (rev1)

If a cheat enabler like PHU or etaHEN fails (for whatever reason) you can use DX/Watch. I have been using this for months for debugging and cheats. You can download it here: https://ko-fi.com/s/9960cc66fd

Steps:

After loading all .elf files send ps5debug-NG_v1.2.6-revision1.elf via Netcat.
Configure the program- so DX/Watch - for your PS5 IP and port.
Click the connect button. If everything is oke you will get some new screens, if not, you did something wrong.
After that go to Trainer Manager on the left side of the UI.
Then load your cheat for your game via [Load Trainer].
Enable cheats by clicking on a single row > Right click [Turn ON/ Turn OFF].

Have fun.

maguro · 2026-06-03T12:40:03+0100

cloudfe said:
I have a question on transfer speeds.

I recently moved a 165Gb exfat to the internal storage via FTP (both my Mac and my Phat PS5 were connected to a powerline via ethernet cables Cat.5E). The transfer speed started at around 5.2Mb/s and ended up around 4.8Mb/s. It took 9 hours.

I then tried again - this time with a Kingston XS1000 (declared transfer speed up to 1050MB/s) - and the transfer speed stayed between 39 and 36Mb/s. It took 1 hour. I made sure to use the usb port in the back of the PS5.

In both cases, these transfer speeds seemed quite slow to me.
Is this normal? Am I missing something?

Try using this https://github.com/phantomptr/ps5upload/releases

HS2005 · 2026-06-03T13:11:50+0100

cherryduck said:
exFAT builder only uses 1 CPU core to create an ffpfsc which takes forever. You could try my batch script if you're on Windows. Make sure mkfps is installed (pip install mkfps) and then just drag and drop your image onto the bat file.

Hmm I've tested this script. Thnx. Seems to be working now on my local, so C drive and can be loaded properly.
No loading issues.

D drive is not working yet. It's related to a OSError: [WinError 17]. So i've to check what causes this:

Code:

    raise BuildError(
        "Unable to stage source file without copying, hard link and symlink both failed"
    ) from exc
mkpfs.pfs.BuildError: Unable to stage source file without copying, hard link and symlink both failed

Blythe93 · 2026-06-03T13:17:36+0100

xalfie said:
if the fpkg is really near, that apr emu will be obsolete before to born...

I will definitely wait for that, if it really is coming out soon.

I like fiddling with my setup but, man, every time I check this thread there's at least 4 pages worth of posts and maybe 3-5 new things worthy to be checked out.

HS2005 · 2026-06-03T13:22:28+0100

Blythe93 said:
I will definitely wait for that, if it really is coming out soon. I like fiddling with my setup but, man, every time I check this thread there's at least 4 pages worth of posts and maybe 3-5 new things worthy to be checked out.

Indeed.

The first thing I wanted to test was the new debug elf and I was blown away that it works for 12.00, 12.40 and 12.70. These are the systems that I have tested it on so far.

Got .ffpfsc also working with the latest scripts and SM+. On to test the new PHU release.

cherryduck · 2026-06-03T13:26:50+0100

HS2005 said:
Hmm I've tested this script. Thnx. Seems to be working now on my local, so C drive and can be loaded properly.
No loading issues.

View attachment 576292

D drive is not working yet. It's related to a OSError: [WinError 17]. So i've to check what causes this:

Code:

raise BuildError( "Unable to stage source file without copying, hard link and symlink both failed" ) from exc mkpfs.pfs.BuildError: Unable to stage source file without copying, hard link and symlink both failed

Yeah there's a bug with MkPFS where it won't work if your image/folder isn't on the C drive. I've raised a PR to fix this: https://github.com/PSBrew/MkPFS/pull/15. You could just nick the code change and update it in the cli.py file at

Code:

AppData\Local\Python\pythoncore-3.14-64\Lib\site-packages\mkpfs

(or equivalent location on your PC).

xZenithy · 2026-06-03T13:49:18+0100

HS2005 said:
Updated release

ps5debug-NG v1.2.6 (rev1)
v1.2.5 added initial support for FW 8.x-13.x. v1.2.6 makes it actually functional and adds hardware verification across most firmwares.

Firmware support - 8.x through 13.x now working

Hardware-verified: FW 4.x, 6.x, 8.x, 9.x, 10.x and 12.x - poke, software + hardware breakpoints, all watchpoint types, title ID, content ID and version confirmed working.

FW 3.x, 5.x, 7.x, 11.x and 13.x: supported but not yet fully tested. The fixes are firmware-agnostic by design. Feedback welcome.

Memory write (poke) on FW 8.40+

Pokes silently failed on FW ≥ 8.40 (the kernel blocks the old mdbg write path there). Writes now go through a DMAP page-table walk, so poking, cheats and patches work again on 8.40-13.x. (mdbg stays the path on FW ≤ 8.x.)

Newly allocated memory is pre-faulted so writes land correctly.

Breakpoints & watchpoints on FW 9.x-13.x

Hardware breakpoints/watchpoints were silently doing nothing on 9.x+ - now enabled across 9.00-13.20.

Software (INT3) breakpoints now write correctly on 9.x+ (same DMAP fix as poke).

Fixed breakpoints/watchpoints that fired a few times then stopped on FW 11/12 (the debug-status register wasn't being cleared between hits).

Title ID / Content ID / Version - now firmware-agnostic

Game title ID, content ID and version are detected by scanning the process instead of per-firmware offsets (which shifted at 8.x and 12.x). Reaper / Cheater again show the running game correctly on newer firmware.

Fixed a console crash on client disconnect (SIGPIPE)

Closing the client mid-operation (e.g. during a scan) could crash the whole console by killing SceShellCore. Now suppressed - disconnecting is safe. Affects all firmwares.

Load notification now shows the firmware version

The "loaded" popup now includes a Firmware: x.yy line.

Credits

Added @Pharaoh2k to the special thanks.

Documentation

Rewrote PROTOCOL.md to match the current sources (every command, packet struct, status code and enum), and corrected/expanded the README firmware table with per-release verification status.

Known caveats

FW 3.x, 5.x, 7.x, 11.x and 13.x are supported and quite likely fully working but not yet fully hardware-tested - please report results.

FW ≤ 5.x behavior is otherwise unchanged.

NOTE: The previously attached binary has been replaced by ps5debug-NG_v1.2.6-revision1.elf
Revision 1 (ps5debug-NG_v1.2.6-revision1.elf)

Fixes memory writes (poke) and software breakpoints on FW 8.40 / 8.60 - the DMAP write path now engages from FW 8.40 instead of 9.00 (a user reported "can't write to memory" on 8.40). 9.x+ already worked and FW < 8.40 is unchanged, so this is the only change from the initial v1.2.6 ps5debug-NG_v1.2.6.elf binary which has been replaced.

Link: https://github.com/OpenSourcereR-dev/ps5debug-NG/releases/tag/1.2.6

Post automatically merged: Yesterday at 11:53 AM

I hope so but lot of the codes that have been written for the apr and DLC emu is also being used within fpkg.

Post automatically merged: Yesterday at 12:35 PM

So I did some testing with ps5debug-NG v1.2.6 (rev1)

If a cheat enabler like PHU or etaHEN fails (for whatever reason) you can use DX/Watch. I have been using this for months for debugging and cheats. You can download it here: https://ko-fi.com/s/9960cc66fd

Steps:

After loading all .elf files send ps5debug-NG_v1.2.6-revision1.elf via Netcat.

Configure the program- so DX/Watch - for your PS5 IP and port.

Click the connect button. If everything is oke you will get some new screens, if not, you did something wrong.

After that go to Trainer Manager on the left side of the UI.

Then load your cheat for your game via [Load Trainer].

Enable cheats by clicking on a single row > Right click [Turn ON/ Turn OFF].

View attachment 576289

Have fun.

If you want to use DX/Watch as trainer manager, it is more easy and funny use the Preview Button:

And on the new screen toggle the cheat in a more easy way...

HS2005 · 2026-06-03T13:57:54+0100

cherryduck said:
Yeah there's a bug with MkPFS where it won't work if your image/folder isn't on the C drive. I've raised a PR to fix this: https://github.com/PSBrew/MkPFS/pull/15. You could just nick the code change and update it in the cli.py file at

Code:

AppData\Local\Python\pythoncore-3.14-64\Lib\site-packages\mkpfs

(or equivalent location on your PC).

Good to hear that you already flagged this issue.
Using another drive is more of a convenience for me to use. My C drive has 1 TB or storage and my D drive (part of my laptop) has 8TB.

Drakmor has also released a new build: https://github.com/drakmor/ShadowMountPlus/actions/runs/26884879634

lufeig · 2026-06-03T13:59:07+0100

Blythe93 said:
This will be huge once they fix the slower reading speed of such images. I'm glad to see that reputable source confirmed that FPKGs are coming soon.

I hope I'm wrong, but I've been hearing about ps5 fpkgs "soon" since a year ago, when ze coxao tweeted that he was releasing fpkg games.

HS2005 · 2026-06-03T14:27:26+0100

With the help of many people:

ShadowMountPlus 1.6test15-fix1

Fixed issues with mounting in /system_ex/app
Experimental support for .ffpfsc images has been added. Scan depth can be left at scan_depth=1.
Do not use with MicroMount!

fix: PFS mount issue

Full Changelog: 1.6beta14-fix1...1.6test15-fix1

Link: https://github.com/drakmor/ShadowMountPlus/releases/tag/1.6test15-fix1

Shoutout to @cherryduck for providing the script. (.bat file). Using 32 cores speed things up a lot.

PS5 Hack Status:

Preparing Your Console:

Select Your Jailbreak:

Additional Information:

Warnings:

Archived Information

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

The destroyer of worlds

Well-Known Member

Well-Known Member

Attachments

Well-Known Member

The destroyer of worlds

ps5debug-NG v1.2.6 (rev1)​

Firmware support - 8.x through 13.x now working​

Memory write (poke) on FW 8.40+​

Breakpoints & watchpoints on FW 9.x-13.x​

Title ID / Content ID / Version - now firmware-agnostic​

Fixed a console crash on client disconnect (SIGPIPE)​

Load notification now shows the firmware version​

Credits​

Documentation​

Known caveats​

NOTE: The previously attached binary has been replaced by ps5debug-NG_v1.2.6-revision1.elf​

Member

The destroyer of worlds

The Treasure Tracker

The destroyer of worlds

Well-Known Member

Well-Known Member

ps5debug-NG v1.2.6 (rev1)​

Firmware support - 8.x through 13.x now working​

Memory write (poke) on FW 8.40+​

Breakpoints & watchpoints on FW 9.x-13.x​

Title ID / Content ID / Version - now firmware-agnostic​

Fixed a console crash on client disconnect (SIGPIPE)​

Load notification now shows the firmware version​

Credits​

Documentation​

Known caveats​

NOTE: The previously attached binary has been replaced by ps5debug-NG_v1.2.6-revision1.elf​

The destroyer of worlds

Well-Known Member

Attachments

The destroyer of worlds

ShadowMountPlus 1.6test15-fix1​

Similar threads