Prospero App0 List & BD-JB Reimplementation, PS4 9.03 / 9.04 Payload Test

This weekend PlayStation homebrew developer bigboss (aka psxdev) made available a Prospero App0 List and also shared via Twitter a Prospero BD-JB Reimplementation based on the PS4 BD-JB / PS5 BD-JB presentation (PDF Report) from TheFloW at HardWear 2022 and @sleirsgoevy's BD-JB Base Code alongside a PS4 9.03 / 9.04 Ret.bin Payload Test via @zecoxao on Twitter for those with a BD-JB Blu-ray (Pong / Doom / Blu-Play.com) that returns nothing except the text 'Hello World' after a black screen.

Download: Prospero App0 List / bd-jb-main.zip / GIT / ret.bin (0 MB) / bigboss.iso (6.44 MB) / sample.iso (6.44 MB) / FTPS4.7z (0.41 MB) / Notification.7z (0.37 MB) / FTPS4.7z (0.38 MB - Lists sandbox directory and fetches files) / FTPS4.7z (0.38 MB - Auto-resolves IP and sends notification) / payload.bin (0.02 MB - PS4 9.00 / 9.03 / 9.04 FTP payload with updated Makefile) / PS5 Rootvnode Listdir PoC iSO by Sleirsgoevy

For those joining the PlayStation 5 Scene recently this comes following the Prospero Directory Tree Listing & Dumping 4.03 PS5 Filesystem Script, PS5 4.03 Error Codes, 4.03 PS5 Registry Key Entries & Title IDs, IDA ELF Loader Plugin & PS5 Symbols and from gistfile1.txt:

[HOST] debugnet listener up
[HOST] ready to have a lot of fun!!!
[PROSPERO][INFO] UdpLogger initialized
[PROSPERO][INFO] [+] bd-jb by bigboss based on TheFlow and sleirsgoevy implementation
[PROSPERO][INFO] [+] Escaping Java Sandbox...
[PROSPERO][INFO] [+] first list in . ...
[PROSPERO][INFO] META-INF
[PROSPERO][INFO] org
[PROSPERO][INFO] [+] now try fakeIxcProxy . ...
[PROSPERO][INFO] [+] after FakeIxcProxy...
[PROSPERO][INFO] cdc
[PROSPERO][INFO] psm
[PROSPERO][INFO] sce_sys
[PROSPERO][INFO] BdmvPlayerCore.elf
[PROSPERO][INFO] BdvdPlayerCore.elf
[PROSPERO][INFO] CapFont_MARU.cbf.GZ
[PROSPERO][INFO] CapSound.pcm
[PROSPERO][INFO] TA_AACS.sbin
[PROSPERO][INFO] UHDBdPlayerCore.elf
[PROSPERO][INFO] eboot.bin
[PROSPERO][INFO] libAacs.sprx
[PROSPERO][INFO] libBdplus.sprx
[PROSPERO][INFO] libCprm.sprx
[PROSPERO][INFO] libCss.sprx

Also from the README.md: bd-jb

bd-jb is a BD-JB reimplementation for prospero based on TheFlow's report and sleirsgoevy base code

By now only implemented:

• Vulnerability #2 to list /app0 content
• Added udp logs you can get it in your pc change host variable on MyXlet.java and use something like this on your pc/mac:

socat udp-recv:18194 stdout

Logs on your host

[HOST] debugnet listener up
[HOST] ready to have a lot of fun!!!
[PROSPERO][INFO] [+] UdpLogger initialized...
[PROSPERO][INFO] [+] Receive udp log in 192.168.1.12 with: socat udp-recv:18194 stdout
[PROSPERO][INFO] [+] bd-jb by bigboss based on TheFlow and sleirsgoevy implementation
[PROSPERO][INFO] [+] Escaping Java Sandbox...
[PROSPERO][INFO] [+] Creating File object with path /app0
[PROSPERO][INFO] [+] Creating FakeIxcProxy object...
[PROSPERO][INFO] [+] FakeIxcProxy object created...
[PROSPERO][INFO] [+] Invoking list method with pInvokeMethod...
[PROSPERO][INFO] cdc
[PROSPERO][INFO] psm
[PROSPERO][INFO] sce_sys
[PROSPERO][INFO] BdmvPlayerCore.elf
[PROSPERO][INFO] BdvdPlayerCore.elf
[PROSPERO][INFO] CapFont_MARU.cbf.GZ
[PROSPERO][INFO] CapSound.pcm
[PROSPERO][INFO] TA_AACS.sbin
[PROSPERO][INFO] UHDBdPlayerCore.elf
[PROSPERO][INFO] eboot.bin
[PROSPERO][INFO] libAacs.sprx
[PROSPERO][INFO] libBdplus.sprx
[PROSPERO][INFO] libCprm.sprx
[PROSPERO][INFO] libCss.sprx

Screenshot

​

Change log

• 18/06/2022 Initial public release

Credits

• TheOfficialFlow for his amazing presentation and all the research done
• sleirsgoevy for base code and helping with zecoxao to fix the bracketgate
• frangar, fjtrujy, psxdev aka "los nenes"

Spoiler: Related Tweets & Videos

 

[kerplunk83]

Awesome!