Tutorial  Updated

PS5 Exploit Guide

PS5 HACK STATUS:

Golden FWs: 4.51 = etaHEN / 2.50 = HV

Hypervisor:
Highest HV exploit: 1.00-*4.51* (FlatZ)
Highest Public HV exploit: 1.00-2.50/2.70 (byepervisor Specter)
*unreleased

Kernel:
Highest possible KEX:
1.00-*7.61 UMTX*
Highest public KEX: 1.00-4.51 (IPV6 UAF)
KEX offsets found: 1.00-5.50
*unreleased

Userland:
Webkit: 1.00-5.50 (PSFREE)
Mast1C0re: 1.00-7.61 (PS2 backups)
BD-JB: 1.00-7.61
PPPWN: 1.00-8.20
Highest Lua entry point: 1.00-10.40

Homebrew Enabler: etaHEN (3.XX-4.5X) latest
HERE
PS5 backup loading: Itemzflow for 3.XX-4.5X HERE
PS4 backup loading: FPKG Enabler 2.XX-4.5X (rest mode & backports work, can crash).
PS5debug released:
HERE
PS5 trainers/cheats: Work
PS5 dumper: 3.XX-4.5X works with most games, use Itemzflow
(Dumps need rebuilding/cracking to avoid crashing)

UART:
HERE
Full chain exploit: 1.00-2.70 (byepervisor)
Linux Kexec: Coming Soon
PSN access: NEVER
Latest OFW: 10.40 (11/12/24)
Latest beta OFW: 10.00 b2 (25/07/24)
OFW Updates:
HERE
Legit PKG Updates: HERE

https://github.com/PS5Dev/PS5-UMTX-Jailbreak/releases/tag/v1.2

UMTX 1.2 exploit works on 1.00-5.xx with WebKit:
https://zecoxao.github.io/umtx/ or https://es7in1.site/ (payloads not working on 5.xx yet)

UMTX 6.xx-7.61 will require a new webkit exploit for digital consoles

PS5 Itemzflow compatibility list:

Recommended hosts:
AL-AZIF WEB HOST:
DNS 1: 165.227.83.145
DNS 2: 192.241.221.79

https://cthugha.thegate.network/
https://ithaqua.thegate.network/

NOMADIC20000 HOST:
DNS 1: 62.210.38.117

(Leave DNS 2 blank)
http://es7in1.site/
https://zecoxao.github.io/ps5jb/

https://ps5jb.pages.dev/
https://sleirsgoevy.github.io/ps4jb2/ps5-403/index.html

PS5 game updates: https://psxpatches.com/

Summarised OFW/Model guide: HERE

1.XX-7.61 game compatibility list: HERE

Update OFW manually via USB by getting the firmware file from HERE and installing from <USB>:/PS5/UPDATE/PS5UPDATE.PUP

SYSTEM UPDATES:
7.61 SYS MD5: d5eca8b171a8d7df7ba225167f77e645 (ready for exploit)
6.50 SYS MD5: 98db854ba47a75dff0cb09355bca9025 (ready for exploit)
5.50 SYS MD5: edb3513ec531b2bd28f3a0b52a82a54f (exploited)
4.51 SYS MD5: 1330b7bf63bf5c93d809b1eb1f4e1f01 (exploited)
4.03 SYS MD5: 3716e4e6e0d223cd94cd4a8e5bd4fb94 (exploited)

RECOVERY UPDATES (wipes all data):

7.61 REC MD5: 932f24e934723050fe49561b67e95226 (ready for exploit)
6.50 REC MD5: 4305223c12bd6dda9b944c0ee49c94c0 (ready for exploit)
5.50 REC MD5: c939ac8b37e07bbc129816a61002d30a (exploited)
4.51 REC MD5: da78ca268da90a963d89b0f45db0f061 (exploited)
4.03 REC MD5: e6dcc800d8d1dcada4f2bcd6e7ff162c (exploited)


OFW 1.xx cannot run PS4 games.
OFW 2.xx runs PS4 games up to 8.03
OFW 3.xx runs PS4 games up to 8.52
OFW 4.xx runs PS4 games up to 9.04
OFW 5.xx runs PS4 games up to 9.60
OFW 6.xx runs PS4 games up to 10.50
OFW 7.xx runs PS4 games up to 11.00
OFW 8.xx/9.xx runs PS4 games up to 11.50

PS4 backported FPKGs work perfectly on PS5.

To determine your OFW version:
Go to settings > system > console information.

Version string info:
Year.Half (1st/2nd half of the year)-Major Version No.Minor Version No.Extended info-Further Info.Retail/Debug

21.02-04.03.00.00-00.00.00.0.1

First BD-J + Kernel access exploit provided by Sleirsgoevy (29/9/22)


Note: There are several USERLAND exploits, a couple of KERNEL exploits, and there is now a public HYPERVISOR exploits available for 1.xx-2.70 to complete the full exploit chain (23/10/24).

Recently Flatz confirmed he has developed his own HV exploit (1.xx-4.51 which is kept private) which was chained from a PS4 save game, and has successfully dumped PlayStation Secure Processor (27/07/23).


As of August 4th 2022: We can now install PS4/PS5 PKG games and updates (and by extension FPKGs) however official PKGs cannot be run unless you legitimately owned them previously digitally and have a licence for them on your current console, or if you own the disc (for update pkgs).

As of October 6th PS4 FPKG can be played on 4.03 OFW thanks to Sliersgoevy FPKG enabler!

Payload: https://gbatemp.net/download/4-03-fpkg-enabler-hen.38248/

As of October 21st PS4 FPKG can be played on 4.50 thanks to cheburek3000 porting offsets.

Payload: https://gbatemp.net/download/4-50-fpkg-enabler-hen.38279/

As of October 25th theflow0 fixes BD-J path traversal and native code execution for 7.61
https://x.com/theflow0/status/1717088032031982066?s=46&t=PIYQV4jmWEyCbVfx3Nx26g

As of November 4th ktuff is fixed for 4.51:

Payload: https://gbatemp.net/download/fpkg-enabler-4-51-hen.38306/

Nov 7th PS5 backups loaded via Itemzflow by Lightningmodz and Echostretch. Fully decrypted dumps require system files bundled into them in order to run without crashing with Libhijacker (no hen required), details here: https://gbatemp.net/threads/ps5-exploit-guide.613891/page-109#post-10290677

As of November 30th ps5debug has been released by SiSTR0: https://github.com/GoldHEN/ps5debug
Mirror: https://gbatemp.net/download/ps5debug.38333/

Dec 1st: first PS5 trainer (Dark Souls) is completed ready for the imminent release of REAPER Multi Trainer II by CTN.

Dec 25th: PS5 back up loading via ITEMZFLOW now released: https://pkg-zone.com/details/ITEM00001

As of Jan 2nd 2024 Sleirsgoevy has ported K-Stuff offsets for 3.xx firmwares.

As of Jan 4th 2024 LM had added 3.XX Kstuff to Itemzflow meaning 3.XX-4.51 is now supported for PS4/PS5 backups and dumping.


Oct 8th 2024: BD-JB + Kernel works on 7.61 thanks to user Hammer.
1: Never enable IDU mode.
If you do you will need to enter staff mode by holding L1 + L2 and tapping this combo: circle, cross, square, triangle, right D-Pad. Release L1 + L2 and you can access settings to exit IDU.

2: Try to stay on the lowest FW possible and wait it out for hacks on that firmware.

3: PS5 FPKGs cannot work as a hack for the a53 processor does not publicly exist to enable PS5 content as FPKG/PKG.

4: Installing legit game PKGs you do not own will not work, even if spoofed.

5: If you get stuck in a boot loop at the PS logo, this means the SNVS is corrupted (if hash check fails on boot this causes a “soft brick”).

It’s not “bricked”, just reinstall your current firmware RECOVERY PUP in safe mode!

USB: PS5 > UPDATE > PS5UPDATE.PUP

WEBKIT EXPLOIT:
Webkit > Kernel exploit chain for 3.00-4.51 via SpectreDev & ChendoChap:
https://github.com/Cryptogenic/PS5-4.03-Kernel-Exploit

https://github.com/ChendoChap/PS5-IPV6-Kernel-Exploit/tree/wip_branch

4.03 only: https://sleirsgoevy.github.io/ps4jb2/ps5-403/index.html

BD-JB EXPLOIT:
BD-JB > Kernel exploit chain for 4.51 via Sleirsgoevy:
https://github.com/sleirsgoevy/bd-jb/commit/159253464afde59c3007a706210bec65b91f38f3

PS2 CLASSICS EXPLOIT:
PS2 Classics > Userland via CTurt:
(Implementation by McCaulay)

Note: this is currently limited to swapping the loaded PS2 iso, or loading PS2 elf homebrew on PS5 (or PS4) for emulators or basic PS2 brew.

Mast1c0re PS2 exploit for PS2 homebrew:
https://cturt.github.io/mast1c0re.html

Mast1c0re part 2:
https://cturt.github.io/mast1c0re-2.html

Mast1c0re payload framework:
https://github.com/McCaulay/mast1c0re

Okrager save game exploit generator for Okage:
https://github.com/McCaulay/okrager

Mast1c0re payloader TCP Client GUI for PS5 6.50:
https://github.com/Master-s/PS4-PS5-Mast1c0re-Payloader/releases

TCP network ISO loader:
https://github.com/McCaulay/mast1c0re-ps2-network-elf-loader/releases

ExFat USB ISO loader:
https://github.com/McCaulay/mast1c0re-ps2-usb-game-loader/releases

4.03 PAYLOADS:
PS5 self dumper (Sleirsgoevy):
https://github.com/sleirsgoevy/ps4jb-payloads/tree/bd-jb/ps5-self-dumper

PS4 FPKG Enabler (Sleirsgoevy):
https://gbatemp.net/download/4-03-fpkg-enabler-hen.38248/

4.5X PAYLOADS:
(Coming soon)

MISC PAYLOADS + TOOLS:
PS5 version display payload by SiSTR0 (compiled by Logic-68):
https://github.com/logic-68/Portage_PS5Version_Mast1c0re/releases/tag/V1.0.0

Libhijacker (by Astrelsky):
https://github.com/astrelsky/libhijacker

60 FPS patches for Libhijacker (by illusion0001):
https://github.com/illusion0001/libhijacker
Console/exploit information:

PS5 SDK REPO:

https://github.com/PS5Dev

PS5 factory mode PUP installation path:
/usb/PROSPERO/UPDATE/PROSPEROUPDATE.PUP

You can install free/demo PKGS (legit pkgs) via debug pkg installer, providing you have all the files/json/licences required.

(Astro’s Playroom has no licences and can be installed and played from official pkgs and update up to 1.60)
 
Last edited by KiiWii,

C_2_T

Well-Known Member
Newcomer
Joined
Nov 13, 2024
Messages
68
Trophies
0
Age
43
XP
75
Country
United States
Wondering if it's just a reuse of PS2 theme of the PS4.🤔
if it's possible to ftp to the console, you could probably find out. I think ps4 sounds are either in at3 or at9 format, forgot which, but you can change the sounds on the ps4, I'm pretty sure. did they do this for the 20th anniversary on the ps4?
 

Randqalan

The Wheel of Time Turns
Member
Joined
Jan 25, 2014
Messages
1,188
Trophies
3
Location
M00N Base quanto
XP
2,963
Country
United States
if it's possible to ftp to the console, you could probably find out. I think ps4 sounds are either in at3 or at9 format, forgot which, but you can change the sounds on the ps4, I'm pretty sure. did they do this for the 20th anniversary on the ps4?
Afaik no but there is a ps2 theme for the PS4 that looks a lot like the one used on 30th.
 
  • Like
Reactions: C_2_T

C_2_T

Well-Known Member
Newcomer
Joined
Nov 13, 2024
Messages
68
Trophies
0
Age
43
XP
75
Country
United States
Afaik no but there is a ps2 theme for the PS4 that looks a lot like the one used on 30th.
I don't remember exactly what a theme looks like on the ps4, but I think it's a collection of xml's and other files. I know the wave, unlike the ps3 wave, is two files this time around or something like that. I haven't messed with the ps4 in years, so I'm basing this on memory.
 
  • Like
Reactions: Randqalan

KiiWii

Editorial Team
OP
Editorial Team
Joined
Nov 17, 2008
Messages
17,389
Trophies
3
Website
defaultdnb.github.io
XP
31,079
Country
United Kingdom
https://github.com/buzzer-re/NineS/tree/24067bdb0103ad335293d5f0a9fbc09d59de005d

Nines (9S) - POC​

This project is the result of an experiment in code injection techniques on the PlayStation 5. Since it's not possible to allocate executable memory using calls like mmap, and other techniques, such as abusing the JIT memory area to write shellcode, are not available to every process, alternative methods are explored.

Idea​

The concept is simple. By using Kernel R/W primitives in the kernel .data section, one can elevate process-specific privileges, such as the AuthorityID, which allows debugging of other processes via ptrace.

With this power, it is possible to invoke remote functions to load a library into the process, which provides a suitable space for executable memory.

Once the library is loaded, it’s possible to remove all existing data and either write shellcode or load an ELF file into the allocated memory. This technique is similar to the Windows Process Hollowing method.

To trigger the shellcode, we remotely resolve and call the pthread_create function to initialize the shellcode.
 

xZenithy

Well-Known Member
Member
Joined
Mar 4, 2019
Messages
223
Trophies
0
Age
46
XP
1,984
Country
United Kingdom
https://github.com/buzzer-re/NineS/tree/24067bdb0103ad335293d5f0a9fbc09d59de005d

Nines (9S) - POC​

This project is the result of an experiment in code injection techniques on the PlayStation 5. Since it's not possible to allocate executable memory using calls like mmap, and other techniques, such as abusing the JIT memory area to write shellcode, are not available to every process, alternative methods are explored.

Idea​

The concept is simple. By using Kernel R/W primitives in the kernel .data section, one can elevate process-specific privileges, such as the AuthorityID, which allows debugging of other processes via ptrace.

With this power, it is possible to invoke remote functions to load a library into the process, which provides a suitable space for executable memory.

Once the library is loaded, it’s possible to remove all existing data and either write shellcode or load an ELF file into the allocated memory. This technique is similar to the Windows Process Hollowing method.

To trigger the shellcode, we remotely resolve and call the pthread_create function to initialize the shellcode.
Finally, an alternative way to bypass mmap for firmware 5.x to 7.61.
I hope that on next year some genius made a full implementation of it for fw 5.x. :)
 

Wolf85

Well-Known Member
Member
Joined
Feb 29, 2016
Messages
118
Trophies
0
Age
39
XP
457
Country
United States
So I was messing around with my og ps5 with 2.00 firmware. I inserted my ffxvi disc and got the update message. I then activated the Byepervisor exploit from idlesauce and inserted the disc and it started copying like a download. I canceled it because I was worried it might update the system software in the process.
 

FR0ZN

Well-Known Member
Member
Joined
Nov 2, 2013
Messages
1,488
Trophies
3
Age
38
XP
4,487
Country
United States

Nothing new.
fail0verflow, Plutoo and flatz are known to have access to these keys, because they all exploited the PSP.
I suspect that thefl0w also has them, because he can tell if certain mitigations are still (not) present in the latest FWs.

For the average joe, these keys mean nothing, as they don't necessarily grant new exploits.
They do however enable devs to diff the binaries and see what changes Sony made under the hood and identify potential exploits on previous FWs.
This is how the 9.00 exFAT exploit on the PS4 happened if I'm not mistaken.

Apart from that, only pirates are probably interested in those keys, as they would allow to decrypt the latest titles on a PC.
That's how we got all the backports for the PS4.
 

Wolf85

Well-Known Member
Member
Joined
Feb 29, 2016
Messages
118
Trophies
0
Age
39
XP
457
Country
United States
Nothing new.
fail0verflow, Plutoo and flatz are known to have access to these keys, because they all exploited the PSP.
I suspect that thefl0w also has them, because he can tell if certain mitigations are still (not) present in the latest FWs.

For the average joe, these keys mean nothing, as they don't necessarily grant new exploits.
They do however enable devs to diff the binaries and see what changes Sony made under the hood and identify potential exploits on previous FWs.
This is how the 9.00 exFAT exploit on the PS4 happened if I'm not mistaken.

Apart from that, only pirates are probably interested in those keys, as they would allow to decrypt the latest titles on a PC.
That's how we got all the backports for the PS4.
It is not just for piracy, some people would like to install their games from disc and not need the disc anymore unless to reinstall...
 

AlphaBravo

Well-Known Member
Member
Joined
Oct 9, 2018
Messages
159
Trophies
0
Age
42
XP
700
Country
United Kingdom
$ony could have met us halfway with the consoles asking disc to be inserted every 7 days or so. Either that or a drive with three disc slots :P
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    AncientBoi @ AncientBoi: :creep:🍆