5.05 PS4 Jailbreak announcement and the release of Project Mira v1.0, PlayStation 4 developer @SpecterDev made available on Twitter a roadmap for the PS4 Homebrew Toolchain alongside a js_shellcode.py Python script to convert payloads to shellcode and of course the 5.05 kernel exploit stack release itself, which as he states "includes the kexploit that autolaunches homebrew patches and Mira. On subsequent page loads it listens for payloads."
Download: PS4-5.05-Kernel-Exploit-master.zip / GIT / Live Demo / Live Demo (Mirror) / 505-KernelDumper-master.zip / GIT / PS4 Kernel Dumper (AIO) / PS4-Kernel-Dumper.bin / GIT by eversion / 5.05 PS4 Exploit Page by @LightningMods via Twitter
PlayStation 4 developer qwertyoruiop also shared a Live Demo (linked above) of the PS4 5.05 kernel exploit BPF setf double free implementation including Mira + XVortexHEN and VVildCard777 made available a PS4 5.05 Kernel Dumper which can also be found linked above.
Several members have reported that the PS4 5.05 Kernel Exploit also works on 5.07 OFW including edrix2004 and MICHY, while @Al Azif added 5.05 support to his v0.4.2 Host and icekuv shared a guide to run the 5.05 kexploit locally with an exploit host file pack from Cyb3rr.
Including some from XVortex and Codsworth for ESP8266 Devices there are already several PS4 5.05 Payload updates with video demos and guides below, and those seeking the PS4 5.05 OFW PUP and Recovery files to Update to a Specific Firmware instead of Sony's latest can find them in several mirrors (such as HERE and HERE) within this thread and also linked HERE in the archive... just remember if you previously used the PS4 Update Blocker to follow iSCORPION's tip to temporarily disable it.
From the README.md: PS4 5.05 Kernel Exploit
In this project you will find a full implementation of the second "bpf" kernel exploit for the PlayStation 4 on 5.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This exploit also contains autolaunching code for Mira and Vortex's HEN payload. Subsequent loads will launch the usual payload launcher.
This bug was discovered by qwertyoruiopz, and can be found hosted on his website here. The GitHub Pages site automatically generated from this repository should also work.
The following patches are made by default in the kernel ROP chain:
- Disable kernel write protection
- Allow RWX (read-write-execute) memory mapping
- Syscall instruction allowed anywhere
- Dynamic Resolving (sys_dynlib_dlsym) allowed from any process
- Custom system call #11 (kexec()) to execute arbitrary code in kernel mode
- Allow unprivileged users to call setuid(0) successfully. Works as a status check, doubles as a privilege escalation.
- Vortex's HEN (Homebrew Enabler)
- The page will crash on successful kernel exploitation, this is normal
Massive credits to the following:
README.md: 5.05 kernel dumper
Compile with your PC's IP listening on port 9023
On PC you can do to listen: socat - tcp-listen:9023 > kernelDump.bin
and to send: socat -u FILE:payload.bin TCP:"PS4 IP":9020
you can then trim out the socket prints or you can adapt it with 2 sockets, one for dumping, another for logging.
To compile for 5.05 you need to use an *** with changes for 5.05 support, i have used https://github.com/xvortex/ps4-payload-***
PS4 5.05 Jailbreak Tutorial by MODDED_WARFARE
5.05 Installing Package Files (PS4/PS2 Games & Custom Themes) by MODDED_WARFARE
5.05 Kernel Exploit Full Tutorial by Andrew Marques
PS4 Pr0 5.05 Debug Menu by GrimDoe
PS4 Pr0 5.05 / PS2 (Mortal Kombat - Armageddon) by GrimDoe
A few notes on the 5.05 exploit:
1) The page will crash after the kernel exploit successfully runs, this is normal
2) First load after successful exploitation will autoload HEN and Mira (can get klog by nc [ps4 ip] 9998
3) Subsequent loads go to the usual payload launcher.
This is for those who don't like reading manuals, or simply can't read.
AP Password: ps4xploit (you can change it from the tools menu)
FTP user: ps4xploit
FTP password: ps4xploit (if you change the AP pass, this one will change too,)