Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter PSXHAX       Start date Jul 16, 2020 at 3:00 PM       871      
Status
Not open for further replies.
Since the PS4 7.02 Kernel Exploit release by theflow0 and his PS4 Webkit Bad_Hoist 6.72 Exploit Port WIP, PlayStation 4 scene developer sleirsgoevy (Twitter) added an experimental a stable PS4JB: PS4 6.72 Jailbreak Exploit implementation to his Github repository today for those seeking to test it out... and it supports offline cache to remove the need for hosting. 🤩
  • Should you update your PS4 Firmware to 6.72? Most sceners don't recommend it yet, but if you can't wait there are plenty of mirrors for it available HERE.

  • Should you update your PS4 Firmware to 7.02? No, as there is currently no public Webkit / Userland entry point for the previously released PS4 7.02 Kernel Exploit.

  • What if your PS4 is on Firmware above 7.02? All you can do is wait on a Future PS4 Jailbreak Exploit for higher Firmware or Find a Jailbreakable PS4 Console.
Download: ps4jb-master.zip / GIT / Live Demo / Live Demo #2 / Live Demo #3 / Live Demo #4 (Italian Translation via TheheroGAC) / Live Demo #5 via @AlFaMoDz / Live Demo #6 via ps3120 / Live Demo #7 by Leeful74 / kernel_dump_fw_672.bin by Mugiwara via zecoxao / ps4jb_game_dumper.7z (629 KB - 6.72 Games Dumper by zecoxao via Hyndrid) / PS4 Game Dumper with 6.72 Payloads / PS4 Xplorer 1.22 with 6.72 Support by Lapy05575948 / Ethylamine PS4 Linux Loader 6.72 Payload / PS4-Linux-Loader.bin / Linux-Loader TEST via Cedsaill2 / Easy PKG Extractor 1.05 Lapy - FW 6.72 Only.pkg / PS4 App Lock 1.02 Lapy - FW 6.72 Only.pkg / ps4ninja_672.7z (18 KB) by m0rph3us1987 / PS4 Player 1.03 - Lapy.rar (76.2 MB - 6.72 Only) / Stable Jailbreak / 6.72 .BIN / .ELF File Loader Code by Leeful74 / RetroArch 6.72 PKG / 6.72 Live Demo (Updated) via ps3120

:arrow: Live PS4 6.72 Jailbreak Demo mirrors will be added above as time permits... also as new 6.72 Fake PKGs (FPKGs) are dumped remember we don't allow them on the public forums so be sure to get a Verified Badge via Discord to access the private areas for such things and rock on with everybody there! 🏴‍☠️

:idea: Some other tips to be aware of with the influx of newcomers due to the 6.72 PS4 Jailbreak news:
  • Do not post Tweets in the forum, the Staff will add noteworthy ones to the article OP's as time permits.

  • Do not post links to PS4 FPKG downloads (get a Verified Badge via Discord to access the private areas for such things).

  • Do not post PS4 FW 6.72 Jailbreak videos, search YouTube... we'll add some to relevant articles as time permits.

  • Do not post in non-English per the Rules, use Google Translate prior to replying instead.
If you find yourself unable to post and/or access the forums any longer, re-read the above for the most likely answer as to why. 😑

From the README.md: PS4JB

This is a full chain exploit for PS4 firmware 6.72. Basically this is TheFlow's POC together with PS4-specific kROP & kernel patches. Mira is used as a HEN payload.

Building from source

To build from source, clone this repository recursively, and run these commands:
Code:
cd src
make
You will get a fresh copy of the binary build in src/build/.

Dependencies: python3, gcc, ROPgadget. Note: Mira is not being built from source

Adding your own payloads

miraldr.c loads 65536 bytes at address stored in JS variable mira_blob into RWX memory and jumps to it. At this point only the minimal patches (amd64_syscall, mmap, mprotect, kexec) are applied (i.e. the process is still "sandboxed"). Normally mira_blob contains MiraLoader.

mira_blob_2_len bytes at mira_blob_2 are sent to 127.0.0.1:9021 in a background thread. If mira_blob contains MiraLoader this will be run in the same way but with the full patchset applied & already jailbroken.

Credits
And from the index.html: PS4 FW 6.72 Jailbreak

READ THIS CAREFULLY BEFORE PROCEEDING


In case you're dumb: this ONLY works on FW 6.72. If you are on a lower firmware, download a 6.72 retail update file here and update your system. If you are on a higher firmware (e.g. 7.02), your console CAN'T BE HACKED yet.

This exploit consists of two steps: the actual jailbreak (JB) and Mira+HEN (MIRA). To pirate games run homebrew software, you need to activate JB first, and then MIRA. Not just one of them, not the other way round. First JB then MIRA.

1. Click on the link that says JB. In about 20 seconds you'll get an alert saying "You're all set!", followed by "There is not enough free system memory". This means that everything has gone well.

If something went wrong during the process, you may get an alert saying "Jailbreak failed! Reboot your PS4 and try again.". In this case you must reboot your PS4, preferably without closing the dialog box.
  • If the system hangs for more than a minute (may require more time on slow Internet connections), reboot your PS4 and try again.
  • If the system crashes (looks like instant powerdown), press the power button on the PS4 (NOT on the gamepad) until it turns on again, then retry.
2. After you click OK on "There is not enough free system memory" and the page reloads, click on the link that says MIRA. This will activate Mira+HEN to unlock the "Debug Settings" menu. In about 20 seconds you'll get an alert saying "You're all set!", followed by "There is not enough free system memory". This means that everything has gone well. If the system hangs or crashes, see above.

Claims that Mira does not have HEN are false, do not believe them!

This exploit does crash and hang. Sometimes you even have to retry 10 times to get the jailbreak.


:arrow: Sleirsgoevy on porting the toolchain to other PS4 Firmware versions:

Just in case, the checklist to port the toolchain (my implementation of bad_hoist + retargeted shinh/8cc) to another firmware:
  1. If the exploit.js crashes, look at the comments inside it.
  2. The GOT offset, relative to textarea's leaked virtual method, is hardcoded in bad_hoist/memserver/dump_module.py, bad_hoist/dumpers/dump_got.js, and bad_hoist/rop/rop.js. You'll need to replace them with the correct offset.
  3. GOT indices corresponding to specific system modules are hardcoded in bad_hoist/memserver/Makefile and bad_hoist/rop/rop.js. You'll need to change them accordingly.
  4. Offsets to some libc & libkernel functions (relative to the corresponding GOT entries) are hardcoded in bad_hoist/rop/rop.js.
  5. The "pivot gadget" is expected to be mov rsp, [rdi+0x38] ; pop rdi ; ret. You'll need to rewrite the pivot() code if this gadget doesn't exist.
  6. The code expects a specific layout of the register save area utilized by loadall/saveall functions. It is documented in ps4-rop-8cc/ps4/saveall.h. The pivot gadget from above is a part of a proper loadall() function.
Once all of this is fixed, compiling and running ropchains should work, unless some gadgets are missing on 6.20.

Related Tweets:
Unstable...
PS4 Jailbreak 6.72 Stable Release with Payloads Included and Stability Improved
PS1 Emu Test on PS4

Download: Ps1HDemu.rar (3.73 MB) / GIT by Zcor3x / EP0000-SCES02545_00-MEDIEVIL2E000001-A0100-V0100.pkg (596.7 MB by Vitt0x_Lar_YT) via @Vitt0xLar on Twitter / GUI
It's very sad that any new ps2 classic has not been dumped yet, anyway if someone has this games, please dump it so we can get other ps2 emulators. List: Official PS2 Games List to Dump
  • Jak 2
  • Jak 3
  • Jak X
  • Ace Combat 5
  • Red Dead Revolver
  • Primal
  • The Forbidden Siren
  • Art of Fighting Anthology
  • Red Faction 2
  • Harvest Moon Save the Homeland
  • Harvest Moon A Wonderfull Life Special Edition
  • ADK DAMASHII
  • SAMURAI SHOWDOWN VI
  • Ape Escape 2
  • Kinetica
  • Wild Arms 3
  • Okage Shadow of the King
  • Rise of the Kasai
  • Dark Chronicle
  • Star Wars Bounty Hunter
  • Star Wars Racer Revenge
  • Arc The Twilight of the Spirits
  • Dark Cloud
  • Dark Cloud 2
  • The Mark of Kri
  • War of the Monsters
  • The King of Fighters’ Collection The Orochi Saga
Estyren demo - PS1HD emulator on PS4
Full PS4 Jailbreak Tutorial (6.72 or Lower!)
Use the following Ghidra script on a decrypted libkernel_sys.sprx loaded with GhidraOrbis to add mast1c0re support for other firmware versions (Dumps the `***/include/offsets/ps/libkernel/psx/xx.xx.hpp` file)
PS4JB PS4 6.72 Jailbreak Exploit by Sleirsgoevy is Released!.jpg
 

Comments

Status
Not open for further replies.
Back
Top