Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
Status
Not open for further replies.
Following theflow0's Blu-ray Disc Java Sandbox Escape (PS4 BD-JB / PS5 BD-JB) presentation at the HardWear 2022 Conference, developer @sleirsgoevy announced on Twitter that he updated his Github repository with a partial reimplementation of TheFloW's BD-JB (no kernel yet) alongside a bd-jb.iso image among the files below. :love:

Download: bd-jb-master.zip / GIT / bd-jb.iso (8.0 MB) / bd-jb.iso (4.0 MB) / Blaster Bunny BD-J.zip (7.1 MB) / Minimal BD-J (Java) Devkit for PS3.zip (5.9 MB) / PS3 Pong Ready to Go Pack.rar (80 KB) / PS3 Pong Source.rar (54 KB) / snake1_1_fixed2.rar (362 KB) / MEGA Folder

For those new in the PlayStation 4 Scene, this comes following Sleirsgoevy's Blu-Play DOOM I Port, JamVM (Java Virtual Machine) Port, PS4 9.00 FontFaceSet Vulnerability PoC, PS4 9.00 & PS5 WebKit Exploit, the PS4 Jailbreak 9.00 pOOBs4 Exploit and Sleirsgoevy's Script for Rooted Android Samsung Devices to Avoid a USB Drive... with a demo videos of both a Pong Homebrew Game PS5 BD-J Test and a Doom Homebrew Game PS5 BD-J Test for those in the PlayStation 5 Scene.

Here are further details from the README.txt: bd-jb

Reimplementation of TheFlow's bd-jb. No kernel part yet.

BD-JB reimplementation based on TheFlow's report and presentation. Implements loading arbitrary .bin payloads using vulnerabilities #2 (privileged constructor call), #3 (privileged method call), #4 (jit hack) from the report. Listens for payloads on port 9019.

The first (and only) argument to the payload is the address of sceKernelDlsym, which can be used to resolve other symbols. It seems that libkernel_sys.sprx always has id 0x2001, and you can look up other libraries by getting the full list of handles and looking up name of each handle. You can't directly call syscalls due to missing kernel patches.

Code:
0x2D2F0 is the offset of SceKernelDlsym in libkernel_sys.sprx
Testing the Partial Implementation by Sleirsgoevy
Use the following Ghidra script on a decrypted libkernel_sys.sprx loaded with GhidraOrbis to add mast1c0re support for other firmware versions (Dumps the `***/include/offsets/ps/libkernel/psx/xx.xx.hpp` file)
Cheers to @tecniqueza (YouTube Channel) on Twitter for the updates and image below! 🍻
Partial Reimplementation of TheFloW's BD-JB (Without Kernel) by Sleirsgoevy.jpg
 

Comments

Status
Not open for further replies.
Back
Top