Tutorial  Updated

PS5 Exploit Guide

PS5 HACK STATUS:

Golden FWs: 4.51 = etaHEN / 2.50 = HV

Hypervisor:
Highest HV exploit: 1.00-*4.51* (FlatZ)
Highest Public HV exploit: 1.00-2.50/2.70 (byepervisor Specter)
*unreleased

Kernel:
Highest possible KEX:
1.00-*7.61 UMTX*
Highest public KEX: 1.00-4.51 (IPV6 UAF)
KEX offsets found: 1.00-5.50
*unreleased

Userland:
Webkit: 1.00-5.50 (PSFREE)
Mast1C0re: 1.00-7.61 (PS2 backups)
BD-JB: 1.00-7.61
PPPWN: 1.00-8.20
Highest Lua entry point: 1.00-10.40

Homebrew Enabler: etaHEN (3.XX-4.5X) latest
HERE
PS5 backup loading: Itemzflow for 3.XX-4.5X HERE
PS4 backup loading: FPKG Enabler 2.XX-4.5X (rest mode & backports work, can crash).
PS5debug released:
HERE
PS5 trainers/cheats: Work
PS5 dumper: 3.XX-4.5X works with most games, use Itemzflow
(Dumps need rebuilding/cracking to avoid crashing)

UART:
HERE
Full chain exploit: 1.00-2.70 (byepervisor)
PSN access: NEVER
Latest OFW: 10.30 (03/12/24)
Latest beta OFW: 10.00 b2 (25/07/24)
OFW Updates:
HERE
Legit PKG Updates: HERE

https://github.com/PS5Dev/PS5-UMTX-Jailbreak/releases/tag/v1.2

UMTX 1.2 exploit works on 1.00-5.xx with WebKit:
https://zecoxao.github.io/umtx/ or https://es7in1.site/ (payloads not working on 5.xx yet)

UMTX 6.xx-7.61 will require a new webkit exploit for digital consoles

PS5 Itemzflow compatibility list:

Recommended hosts:
AL-AZIF WEB HOST:
DNS 1: 165.227.83.145
DNS 2: 192.241.221.79

https://cthugha.thegate.network/
https://ithaqua.thegate.network/

NOMADIC20000 HOST:
DNS 1: 62.210.38.117

(Leave DNS 2 blank)
http://es7in1.site/
https://zecoxao.github.io/ps5jb/

https://ps5jb.pages.dev/
https://sleirsgoevy.github.io/ps4jb2/ps5-403/index.html

PS5 game updates: https://psxpatches.com/

Summarised OFW/Model guide: HERE

1.XX-7.61 game compatibility list: HERE

Update OFW manually via USB by getting the firmware file from HERE and installing from <USB>:/PS5/UPDATE/PS5UPDATE.PUP

SYSTEM UPDATES:
7.61 SYS MD5: d5eca8b171a8d7df7ba225167f77e645 (ready for exploit)
6.50 SYS MD5: 98db854ba47a75dff0cb09355bca9025 (ready for exploit)
5.50 SYS MD5: edb3513ec531b2bd28f3a0b52a82a54f (exploited)
4.51 SYS MD5: 1330b7bf63bf5c93d809b1eb1f4e1f01 (exploited)
4.03 SYS MD5: 3716e4e6e0d223cd94cd4a8e5bd4fb94 (exploited)

RECOVERY UPDATES (wipes all data):

7.61 REC MD5: 932f24e934723050fe49561b67e95226 (ready for exploit)
6.50 REC MD5: 4305223c12bd6dda9b944c0ee49c94c0 (ready for exploit)
5.50 REC MD5: c939ac8b37e07bbc129816a61002d30a (exploited)
4.51 REC MD5: da78ca268da90a963d89b0f45db0f061 (exploited)
4.03 REC MD5: e6dcc800d8d1dcada4f2bcd6e7ff162c (exploited)


OFW 1.xx cannot run PS4 games.
OFW 2.xx runs PS4 games up to 8.03
OFW 3.xx runs PS4 games up to 8.52
OFW 4.xx runs PS4 games up to 9.04
OFW 5.xx runs PS4 games up to 9.60
OFW 6.xx runs PS4 games up to 10.50
OFW 7.xx runs PS4 games up to 11.00
OFW 8.xx/9.xx runs PS4 games up to 11.50

PS4 backported FPKGs work perfectly on PS5.

To determine your OFW version:
Go to settings > system > console information.

Version string info:
Year.Half (1st/2nd half of the year)-Major Version No.Minor Version No.Extended info-Further Info.Retail/Debug

21.02-04.03.00.00-00.00.00.0.1

First BD-J + Kernel access exploit provided by Sleirsgoevy (29/9/22)


Note: There are several USERLAND exploits, a couple of KERNEL exploits, and there is now a public HYPERVISOR exploits available for 1.xx-2.70 to complete the full exploit chain (23/10/24).

Recently Flatz confirmed he has developed his own HV exploit (1.xx-4.51 which is kept private) which was chained from a PS4 save game, and has successfully dumped PlayStation Secure Processor (27/07/23).


As of August 4th 2022: We can now install PS4/PS5 PKG games and updates (and by extension FPKGs) however official PKGs cannot be run unless you legitimately owned them previously digitally and have a licence for them on your current console, or if you own the disc (for update pkgs).

As of October 6th PS4 FPKG can be played on 4.03 OFW thanks to Sliersgoevy FPKG enabler!

Payload: https://gbatemp.net/download/4-03-fpkg-enabler-hen.38248/

As of October 21st PS4 FPKG can be played on 4.50 thanks to cheburek3000 porting offsets.

Payload: https://gbatemp.net/download/4-50-fpkg-enabler-hen.38279/

As of October 25th theflow0 fixes BD-J path traversal and native code execution for 7.61
https://x.com/theflow0/status/1717088032031982066?s=46&t=PIYQV4jmWEyCbVfx3Nx26g

As of November 4th ktuff is fixed for 4.51:

Payload: https://gbatemp.net/download/fpkg-enabler-4-51-hen.38306/

Nov 7th PS5 backups loaded via Itemzflow by Lightningmodz and Echostretch. Fully decrypted dumps require system files bundled into them in order to run without crashing with Libhijacker (no hen required), details here: https://gbatemp.net/threads/ps5-exploit-guide.613891/page-109#post-10290677

As of November 30th ps5debug has been released by SiSTR0: https://github.com/GoldHEN/ps5debug
Mirror: https://gbatemp.net/download/ps5debug.38333/

Dec 1st: first PS5 trainer (Dark Souls) is completed ready for the imminent release of REAPER Multi Trainer II by CTN.

Dec 25th: PS5 back up loading via ITEMZFLOW now released: https://pkg-zone.com/details/ITEM00001

As of Jan 2nd 2024 Sleirsgoevy has ported K-Stuff offsets for 3.xx firmwares.

As of Jan 4th 2024 LM had added 3.XX Kstuff to Itemzflow meaning 3.XX-4.51 is now supported for PS4/PS5 backups and dumping.


Oct 8th 2024: BD-JB + Kernel works on 7.61 thanks to user Hammer.
1: Never enable IDU mode.
If you do you will need to enter staff mode by holding L1 + L2 and tapping this combo: circle, cross, square, triangle, right D-Pad. Release L1 + L2 and you can access settings to exit IDU.

2: Try to stay on the lowest FW possible and wait it out for hacks on that firmware.

3: PS5 FPKGs cannot work as a hack for the a53 processor does not publicly exist to enable PS5 content as FPKG/PKG.

4: Installing legit game PKGs you do not own will not work, even if spoofed.

5: If you get stuck in a boot loop at the PS logo, this means the SNVS is corrupted (if hash check fails on boot this causes a “soft brick”).

It’s not “bricked”, just reinstall your current firmware RECOVERY PUP in safe mode!

USB: PS5 > UPDATE > PS5UPDATE.PUP

WEBKIT EXPLOIT:
Webkit > Kernel exploit chain for 3.00-4.51 via SpectreDev & ChendoChap:
https://github.com/Cryptogenic/PS5-4.03-Kernel-Exploit

https://github.com/ChendoChap/PS5-IPV6-Kernel-Exploit/tree/wip_branch

4.03 only: https://sleirsgoevy.github.io/ps4jb2/ps5-403/index.html

BD-JB EXPLOIT:
BD-JB > Kernel exploit chain for 4.51 via Sleirsgoevy:
https://github.com/sleirsgoevy/bd-jb/commit/159253464afde59c3007a706210bec65b91f38f3

PS2 CLASSICS EXPLOIT:
PS2 Classics > Userland via CTurt:
(Implementation by McCaulay)

Note: this is currently limited to swapping the loaded PS2 iso, or loading PS2 elf homebrew on PS5 (or PS4) for emulators or basic PS2 brew.

Mast1c0re PS2 exploit for PS2 homebrew:
https://cturt.github.io/mast1c0re.html

Mast1c0re part 2:
https://cturt.github.io/mast1c0re-2.html

Mast1c0re payload framework:
https://github.com/McCaulay/mast1c0re

Okrager save game exploit generator for Okage:
https://github.com/McCaulay/okrager

Mast1c0re payloader TCP Client GUI for PS5 6.50:
https://github.com/Master-s/PS4-PS5-Mast1c0re-Payloader/releases

TCP network ISO loader:
https://github.com/McCaulay/mast1c0re-ps2-network-elf-loader/releases

ExFat USB ISO loader:
https://github.com/McCaulay/mast1c0re-ps2-usb-game-loader/releases

4.03 PAYLOADS:
PS5 self dumper (Sleirsgoevy):
https://github.com/sleirsgoevy/ps4jb-payloads/tree/bd-jb/ps5-self-dumper

PS4 FPKG Enabler (Sleirsgoevy):
https://gbatemp.net/download/4-03-fpkg-enabler-hen.38248/

4.5X PAYLOADS:
(Coming soon)

MISC PAYLOADS + TOOLS:
PS5 version display payload by SiSTR0 (compiled by Logic-68):
https://github.com/logic-68/Portage_PS5Version_Mast1c0re/releases/tag/V1.0.0

Libhijacker (by Astrelsky):
https://github.com/astrelsky/libhijacker

60 FPS patches for Libhijacker (by illusion0001):
https://github.com/illusion0001/libhijacker
Console/exploit information:

PS5 SDK REPO:

https://github.com/PS5Dev

PS5 factory mode PUP installation path:
/usb/PROSPERO/UPDATE/PROSPEROUPDATE.PUP

You can install free/demo PKGS (legit pkgs) via debug pkg installer, providing you have all the files/json/licences required.

(Astro’s Playroom has no licences and can be installed and played from official pkgs and update up to 1.60)
 
Last edited by KiiWii,

KiiWii

Editorial Team
OP
Editorial Team
Joined
Nov 17, 2008
Messages
17,263
Trophies
3
Website
defaultdnb.github.io
XP
29,897
Country
United Kingdom

KiiWii

Editorial Team
OP
Editorial Team
Joined
Nov 17, 2008
Messages
17,263
Trophies
3
Website
defaultdnb.github.io
XP
29,897
Country
United Kingdom
...what about the reverse?
Does the progress of emulators benefit the reverse engineering of consoles?
Rarely, but it’s not impossible I guess.

I had a quick Look but I couldn’t find an example of an exploit being found in an emulator being used on a real system 🤔
 

cearp

瓜老外
Developer
Joined
May 26, 2008
Messages
8,829
Trophies
2
XP
8,953
Country
Tuvalu
Does the progress of emulators benefit the reverse engineering of consoles?
Rarely, but it’s not impossible I guess.
I had a quick Look but I couldn’t find an example of an exploit being found in an emulator being used on a real system 🤔
for things like save exploits, you can use an emulator to help (if it's good enough!).
https://wololo.net/2013/04/05/tutorial-finding-vhbl-exploits-without-a-psp/
but all of the progress needed to get to this point means you'd have a very good documentation of the low level stuff already
 
  • Like
Reactions: iguanoPT and KiiWii

KiiWii

Editorial Team
OP
Editorial Team
Joined
Nov 17, 2008
Messages
17,263
Trophies
3
Website
defaultdnb.github.io
XP
29,897
Country
United Kingdom
  • Like
Reactions: cearp and schatzi24

FateNightroad

Well-Known Member
Member
Joined
Jul 19, 2023
Messages
152
Trophies
0
Age
37
XP
461
Country
Canada

cearp

瓜老外
Developer
Joined
May 26, 2008
Messages
8,829
Trophies
2
XP
8,953
Country
Tuvalu
Okkaaay. That was in a scenario where if you didn't own a PSP. So, if you had a PSP, it would make more sense to use the actual PSP than something the emulates a PSP.
Not necessarily, development/testing would be much faster on a computer rather than having to testing each tiny change on the real device!
(Again, provided it's accurate, so you'd want to test on a real device early on to make sure it's not simply a bug in the emulator)

That's how development works for most platforms, ios, android, modern gaming systems etc. For example, no need to actually have a real iphone 16, apple let you emulate it when you're developing your apps on your computer.

Doesn't really apply to the low level stuff we want researched for ps5 though, just discussing stuff from your original question :)
 

C_2_T

Well-Known Member
Newcomer
Joined
Nov 13, 2024
Messages
68
Trophies
0
Age
43
XP
74
Country
United States
zecoxao seems like a good person. I'm not sure what happened, but maybe he's burned out? I've been a lurker for a while, and it does seem like all his free time is spent on the playstation stuff. I hope he feels better, perhaps he should focus on himself for a while, then if he wants to come back, he can.
 

AlphaBravo

Well-Known Member
Member
Joined
Oct 9, 2018
Messages
151
Trophies
0
Age
42
XP
656
Country
United Kingdom
zecoxao seems like a good person. I'm not sure what happened, but maybe he's burned out? I've been a lurker for a while, and it does seem like all his free time is spent on the playstation stuff. I hope he feels better, perhaps he should focus on himself for a while, then if he wants to come back, he can.

He talked about being made redundant while looking after family. Good news is they will now continue developing for the scene thanks to donations and recouping other monies. Because there are so few developers working on ps5 scene, if one person leaves or retires then it has big consequences. So I'm glad Zeco is doing a bit better now :)
 

smf

Well-Known Member
Member
Joined
Feb 23, 2009
Messages
6,778
Trophies
2
XP
6,178
Country
United Kingdom
Based on our previous conversation, EE did sell out but not surprising since their restock was only 50 consoles. They don't hold much.
Amazon UK seems to be out of stock now which is surprising. Argos today just drop price by approx 5% to £659.99 which is somewhat surprising. Based on this info, not entirely sure if ps5 pro is doing well or not as different messaging. But there looks to be the start of a Black Friday sale appearing...
I think Sony have totally destroyed their chances of selling another console ever, when the price can drop a week after they ship pre-orders. Who will ever buy one again?
 
  • Like
Reactions: AlphaBravo

AlphaBravo

Well-Known Member
Member
Joined
Oct 9, 2018
Messages
151
Trophies
0
Age
42
XP
656
Country
United Kingdom
I think Sony have totally destroyed their chances of selling another console ever, when the price can drop a week after they ship pre-orders. Who will ever buy one again?
Might not be that bad. I just cant imagine a disc less future and consoles that can't be jailbroken. I went and bought physical copy of Star wars fallen order for £6. It's £60 on PSN despite being an old game now!!
Sony might have you believe that the ps5 pro recent discount was black Friday related but I'm sure it's more about consumers rejecting the absurd £700 launch price. Same with future PS6, in the end, the market will dictate whether an expensive console can exist or not.
First time that I'm Starting to feel like an old man yelling at clouds. So much about society that doesn't make sense outside of forums like these 😔
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • K3Nv2 @ K3Nv2:
    Eh we got cartoons on nick and Disney punning in adult humor all the time
  • K3Nv2 @ K3Nv2:
    All the evil stuff generally go over a kids head because they're at the innocent stage of their life
  • chrisrlink @ chrisrlink:
    depends on the target audience too if your speaking of family guy, american dad etc those are adult cartoons
  • K3Nv2 @ K3Nv2:
    Dexter's lab is a good example of a total banned episode of kids being total assholes at their parents
  • chrisrlink @ chrisrlink:
    I miss the more "adult kid shows" pf the 90's
  • chrisrlink @ chrisrlink:
    that put nick in hot water
  • DinohScene @ DinohScene:
    The world changed in '01, face it lads we're better off at the scrapheap
  • K3Nv2 @ K3Nv2:
    Early 01s was around the time others decided it would be easier just to coddle everyone instead of taking the time to let them learn
  • AncientBoi @ AncientBoi:
    You guys mean in the year 0001 ? wow..
  • K3Nv2 @ K3Nv2:
    Man all these times you guys have been wanting to bone my mum and she's just one year old ew
  • kijetesantakalu042 @ kijetesantakalu042:
    @K3Nv2 And you are only 0.5 yrs old
  • K3Nv2 @ K3Nv2:
    So you must be like 0.1 day old
  • kijetesantakalu042 @ kijetesantakalu042:
    You must be like 0.01 day old
  • K3Nv2 @ K3Nv2:
    That's what I just said you just added an extra 0
  • kijetesantakalu042 @ kijetesantakalu042:
    Which changes the meaning...
  • K3Nv2 @ K3Nv2:
    Change your lifes meaning
  • kijetesantakalu042 @ kijetesantakalu042:
    change your lifez mening + 2
  • JollyBaker @ JollyBaker:
    why the hell is arthur punching dw higher on that list than the south park chili?
  • K3Nv2 @ K3Nv2:
    King Arthur couldn't put humpty back together again
  • JollyBaker @ JollyBaker:
    It was his horses and men that tried, not him.
  • JollyBaker @ JollyBaker:
    (nah jk lol)
  • K3Nv2 @ K3Nv2:
    That train of thought can get you executed always let the person in power take credit
    K3Nv2 @ K3Nv2: https://youtu.be/mcvLKldPM08?si=B2gGHl-9C6OzBJcq sweet