Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.

Prospero App0 List & BD-JB Reimplementation, PS4 9.03 / 9.04 Payload Test

PS5 Jailbreaking       Thread starter PSXHAX       Start date Jun 18, 2022 at 12:16 AM       30      
Status
Not open for further replies.
This weekend PlayStation homebrew developer bigboss (aka psxdev) made available a Prospero App0 List and also shared via Twitter a Prospero BD-JB Reimplementation based on the PS4 BD-JB / PS5 BD-JB presentation (PDF Report) from TheFloW at HardWear 2022 and @sleirsgoevy's BD-JB Base Code alongside a PS4 9.03 / 9.04 Ret.bin Payload Test via @zecoxao on Twitter for those with a BD-JB Blu-ray (Pong / Doom / Blu-Play.com) that returns nothing except the text 'Hello World' after a black screen. :geek:

Download: Prospero App0 List / bd-jb-main.zip / GIT / ret.bin (0 MB) / bigboss.iso (6.44 MB) / sample.iso (6.44 MB) / FTPS4.7z (0.41 MB) / Notification.7z (0.37 MB) / FTPS4.7z (0.38 MB - Lists sandbox directory and fetches files) / FTPS4.7z (0.38 MB - Auto-resolves IP and sends notification) / payload.bin (0.02 MB - PS4 9.00 / 9.03 / 9.04 FTP payload with updated Makefile) / PS5 Rootvnode Listdir PoC iSO by Sleirsgoevy

For those joining the PlayStation 5 Scene recently this comes following the Prospero Directory Tree Listing & Dumping 4.03 PS5 Filesystem Script, PS5 4.03 Error Codes, 4.03 PS5 Registry Key Entries & Title IDs, IDA ELF Loader Plugin & PS5 Symbols and from gistfile1.txt:
Code: 
[HOST] debugnet listener up
[HOST] ready to have a lot of fun!!!
[PROSPERO][INFO] UdpLogger initialized
[PROSPERO][INFO] [+] bd-jb by bigboss based on TheFlow and sleirsgoevy implementation
[PROSPERO][INFO] [+] Escaping Java Sandbox...
[PROSPERO][INFO] [+] first list in . ...
[PROSPERO][INFO] META-INF
[PROSPERO][INFO] org
[PROSPERO][INFO] [+] now try fakeIxcProxy . ...
[PROSPERO][INFO] [+] after FakeIxcProxy...
[PROSPERO][INFO] cdc
[PROSPERO][INFO] psm
[PROSPERO][INFO] sce_sys
[PROSPERO][INFO] BdmvPlayerCore.elf
[PROSPERO][INFO] BdvdPlayerCore.elf
[PROSPERO][INFO] CapFont_MARU.cbf.GZ
[PROSPERO][INFO] CapSound.pcm
[PROSPERO][INFO] TA_AACS.sbin
[PROSPERO][INFO] UHDBdPlayerCore.elf
[PROSPERO][INFO] eboot.bin
[PROSPERO][INFO] libAacs.sprx
[PROSPERO][INFO] libBdplus.sprx
[PROSPERO][INFO] libCprm.sprx
[PROSPERO][INFO] libCss.sprx
Also from the README.md: bd-jb

bd-jb is a BD-JB reimplementation for prospero based on TheFlow's report and sleirsgoevy base code

By now only implemented:
  • Vulnerability #2 to list /app0 content
  • Added udp logs you can get it in your pc change host variable on MyXlet.java and use something like this on your pc/mac:
Code: 
socat udp-recv:18194 stdout
Logs on your host
Code: 
[HOST] debugnet listener up
[HOST] ready to have a lot of fun!!!
[PROSPERO][INFO] [+] UdpLogger initialized...
[PROSPERO][INFO] [+] Receive udp log in 192.168.1.12 with: socat udp-recv:18194 stdout
[PROSPERO][INFO] [+] bd-jb by bigboss based on TheFlow and sleirsgoevy implementation
[PROSPERO][INFO] [+] Escaping Java Sandbox...
[PROSPERO][INFO] [+] Creating File object with path /app0
[PROSPERO][INFO] [+] Creating FakeIxcProxy object...
[PROSPERO][INFO] [+] FakeIxcProxy object created...
[PROSPERO][INFO] [+] Invoking list method with pInvokeMethod...
[PROSPERO][INFO] cdc
[PROSPERO][INFO] psm
[PROSPERO][INFO] sce_sys
[PROSPERO][INFO] BdmvPlayerCore.elf
[PROSPERO][INFO] BdvdPlayerCore.elf
[PROSPERO][INFO] CapFont_MARU.cbf.GZ
[PROSPERO][INFO] CapSound.pcm
[PROSPERO][INFO] TA_AACS.sbin
[PROSPERO][INFO] UHDBdPlayerCore.elf
[PROSPERO][INFO] eboot.bin
[PROSPERO][INFO] libAacs.sprx
[PROSPERO][INFO] libBdplus.sprx
[PROSPERO][INFO] libCprm.sprx
[PROSPERO][INFO] libCss.sprx
Screenshot

screenshot.png

Change log
  • 18/06/2022 Initial public release
Credits
Spoiler: Related Tweets & Videos

Prospero App0 List & BD-JB Reimplementation, PS4 9.03 9.04 Payload Test.png
 
Click to expand...
PSXHAX
PSXHAX
Live in Your World, HAX in Ours!
Hello World! I've been reporting on Sony PlayStation hacking news since 2000 and started PSXHAX in 2014 to cover PlayStation (PSX), PlayStation 2 (PS2), PlayStation 3 (PS3), PlayStation 4 (PS4), PlayStation Portable (PSP), PlayStation Vita (PS Vita), PlayStation TV (PS TV) and next-gen PlayStation 5 (PS5) platforms along with anything else of interest.

Click on my UserName author link above and you'll be able to view a curated list of all the articles I've contributed thus far to PSXHAX.COM.

If you enjoy gaming and would like to write (unpaid) for this site, Contact Us and we'll be happy to have ya join our Authors! :)

Comments

@mjr1337
You need a blu-ray burner and a BD-RE disk. Then on the github there is an iso file. You should write it on the disk. Then you run the disk on ps5 and you see "Hello world". It means that works fine.
 
Speaking to folk elsewhere it appears the bd-j exploit is entry point only. The same as the webkit exploit that surfaced some months ago.

For the PS5 we need to escape the Hypervisor, So the blu-ray disc method may be more stable than the webkit exploit, But it appears there are still certain bits of the jigsaw missing.

The Webkit exploit may still be utilized so it may be prudent in holding off purchasing a burner etc as its unclear if BD-J is likely to remain the front runner.
 
@cpt
yes, kinda... it is an entrypoint to inject code so the kernel panics and shut down his security systems-ish, the system is vulnerable... on ps4 you load it via webexploit and an usb stick. we saw the presentation of flow where he had just this bd and a brand new ps5 and he has the debug tools activated so it seems that we just use this bd in the future
 
@jamesblond007
So in the theory you need find a kernel bug and then find a way to trigger that bug and gain kernel access. However, there is already a known good kernel bug (the fifth vulnerability of the flow) which we know has already worked well on the ps5. In the theory maybe you can combine that bug with webkit exploit if ever possible, but that bug is in the UDF driver which is responsible for handle the bluray drive.

So if you want to use that bug you necessarily have to use bluray disk. At this point you are already forced to use the disk so it is better to use BD-JB as entry point instead webkit because it's more stable and powerful and we know with certainty that it's compatible with the fifth vulnerability.

There are also other bugs like exfat bug or kernel heap overflow bug that don't need blu-ray disk but at the moment no one of devolopers after struggling months has been able to trigger those bugs via webkit.

And then for the Hypervisor step by step. At first we need to have the kernel access. Then we also have to find a way to bypass the Hypervisor. So at the moment blu-ray disks apparently flaunt in the scene.
 
Still don't understand the rush/need/urgency of some people crying out for a full PS5 exploit chain (JB). These people will almost all only want it for backups. What really confuses me is how these people can afford a £600 console but yet cannot afford to buy the games to play on it. Don't come back with the I use it for testing a game before I buy it crap either because 99% of the time that's just bs.

Most of these people who cry out for exploits with Eta wen or go around asking the same questions over and over again when the answer is almost certainly already in the very forum thread they are asking in would be best off selling their PS5 and buying something more useful for their life.

PS5 exploit crowd are already sounding as desperate as the PS4 one was and its only just getting going.
 
Status
Not open for further replies.

PSXHAX Categories

PS4 Jailbreak Status
PS5 Jailbreak Status

Latest Forum Topics

Share This Page

Back
Top