Proceeding TheFlow0's BD-JB Sandbox Escape at Hexacon, the 4.03 PS5 HEN PS4 FPKG Enabler Payload & Porting Offsets and the recent 4.50 PS5 HEN PS4 FPKG Enabler Payload Port comes a revision by Security Engineer theflow0 to the BD-JB PS5 Exploit (BD-J Tools) that supports Userland execution, not Kernel (KeX), on PlayStation 5 consoles through 7.61 PS5 Firmware as Andy Nguyen aka TheOfficialFloW on Github confirmed via Twitter it was fixed in 8.00 PS5 System Software:
Seems like Sony fixed the bd-jb path traversal sandbox escape on PS5 FW 8.00. PoC tweetable: Change bdjo.xml#L13:
to:
and enjoy native code execution on PS5 FW 7.61.
Spoiler
The PlayStation 5 Remote JAR Loader was also confirmed as working on 7.61, with a new PS5 JAR Loader revision by hammer-83 on Github: 2023-10-27
Note: this does not include any exploits, just a proof of concept for repeatedly executing arbitrary JARs on a PS5.
Seems like Sony fixed the bd-jb path traversal sandbox escape on PS5 FW 8.00. PoC tweetable: Change bdjo.xml#L13:
Code:
<baseDirectory>00000</baseDirectory>
Code:
`<baseDirectory>file:///app0/cdc/lib/../../../disc/BDMV/JAR/00000.jar</baseDirectory>`
Spoiler
The PlayStation 5 Remote JAR Loader was also confirmed as working on 7.61, with a new PS5 JAR Loader revision by hammer-83 on Github: 2023-10-27
- Burn ps5-jar-loader.iso on a BD-R(E).
- Insert into PS5, go to Media / Disc Player.
- Press Play on "PS5 JAR Loader"
- When the message appears showing the IP address where JAR loader is listening, try sending hello-world-remote.jar using the following command:
Code:
${path_to_java_11}/java --add-opens java.base/jdk.internal.loader=ALL-UNNAMED -jar hello-world-remote.jar ${ps5_ip_address}