Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter PSXHAX       Start date Jul 16, 2020 at 3:00 PM       871      
Status
Not open for further replies.
Since the PS4 7.02 Kernel Exploit release by theflow0 and his PS4 Webkit Bad_Hoist 6.72 Exploit Port WIP, PlayStation 4 scene developer sleirsgoevy (Twitter) added an experimental a stable PS4JB: PS4 6.72 Jailbreak Exploit implementation to his Github repository today for those seeking to test it out... and it supports offline cache to remove the need for hosting. 🤩
  • Should you update your PS4 Firmware to 6.72? Most sceners don't recommend it yet, but if you can't wait there are plenty of mirrors for it available HERE.

  • Should you update your PS4 Firmware to 7.02? No, as there is currently no public Webkit / Userland entry point for the previously released PS4 7.02 Kernel Exploit.

  • What if your PS4 is on Firmware above 7.02? All you can do is wait on a Future PS4 Jailbreak Exploit for higher Firmware or Find a Jailbreakable PS4 Console.
Download: ps4jb-master.zip / GIT / Live Demo / Live Demo #2 / Live Demo #3 / Live Demo #4 (Italian Translation via TheheroGAC) / Live Demo #5 via @AlFaMoDz / Live Demo #6 via ps3120 / Live Demo #7 by Leeful74 / kernel_dump_fw_672.bin by Mugiwara via zecoxao / ps4jb_game_dumper.7z (629 KB - 6.72 Games Dumper by zecoxao via Hyndrid) / PS4 Game Dumper with 6.72 Payloads / PS4 Xplorer 1.22 with 6.72 Support by Lapy05575948 / Ethylamine PS4 Linux Loader 6.72 Payload / PS4-Linux-Loader.bin / Linux-Loader TEST via Cedsaill2 / Easy PKG Extractor 1.05 Lapy - FW 6.72 Only.pkg / PS4 App Lock 1.02 Lapy - FW 6.72 Only.pkg / ps4ninja_672.7z (18 KB) by m0rph3us1987 / PS4 Player 1.03 - Lapy.rar (76.2 MB - 6.72 Only) / Stable Jailbreak / 6.72 .BIN / .ELF File Loader Code by Leeful74 / RetroArch 6.72 PKG / 6.72 Live Demo (Updated) via ps3120

:arrow: Live PS4 6.72 Jailbreak Demo mirrors will be added above as time permits... also as new 6.72 Fake PKGs (FPKGs) are dumped remember we don't allow them on the public forums so be sure to get a Verified Badge via Discord to access the private areas for such things and rock on with everybody there! 🏴‍☠️

:idea: Some other tips to be aware of with the influx of newcomers due to the 6.72 PS4 Jailbreak news:
  • Do not post Tweets in the forum, the Staff will add noteworthy ones to the article OP's as time permits.

  • Do not post links to PS4 FPKG downloads (get a Verified Badge via Discord to access the private areas for such things).

  • Do not post PS4 FW 6.72 Jailbreak videos, search YouTube... we'll add some to relevant articles as time permits.

  • Do not post in non-English per the Rules, use Google Translate prior to replying instead.
If you find yourself unable to post and/or access the forums any longer, re-read the above for the most likely answer as to why. 😑

From the README.md: PS4JB

This is a full chain exploit for PS4 firmware 6.72. Basically this is TheFlow's POC together with PS4-specific kROP & kernel patches. Mira is used as a HEN payload.

Building from source

To build from source, clone this repository recursively, and run these commands:
Code:
cd src
make
You will get a fresh copy of the binary build in src/build/.

Dependencies: python3, gcc, ROPgadget. Note: Mira is not being built from source

Adding your own payloads

miraldr.c loads 65536 bytes at address stored in JS variable mira_blob into RWX memory and jumps to it. At this point only the minimal patches (amd64_syscall, mmap, mprotect, kexec) are applied (i.e. the process is still "sandboxed"). Normally mira_blob contains MiraLoader.

mira_blob_2_len bytes at mira_blob_2 are sent to 127.0.0.1:9021 in a background thread. If mira_blob contains MiraLoader this will be run in the same way but with the full patchset applied & already jailbroken.

Credits
And from the index.html: PS4 FW 6.72 Jailbreak

READ THIS CAREFULLY BEFORE PROCEEDING


In case you're dumb: this ONLY works on FW 6.72. If you are on a lower firmware, download a 6.72 retail update file here and update your system. If you are on a higher firmware (e.g. 7.02), your console CAN'T BE HACKED yet.

This exploit consists of two steps: the actual jailbreak (JB) and Mira+HEN (MIRA). To pirate games run homebrew software, you need to activate JB first, and then MIRA. Not just one of them, not the other way round. First JB then MIRA.

1. Click on the link that says JB. In about 20 seconds you'll get an alert saying "You're all set!", followed by "There is not enough free system memory". This means that everything has gone well.

If something went wrong during the process, you may get an alert saying "Jailbreak failed! Reboot your PS4 and try again.". In this case you must reboot your PS4, preferably without closing the dialog box.
  • If the system hangs for more than a minute (may require more time on slow Internet connections), reboot your PS4 and try again.
  • If the system crashes (looks like instant powerdown), press the power button on the PS4 (NOT on the gamepad) until it turns on again, then retry.
2. After you click OK on "There is not enough free system memory" and the page reloads, click on the link that says MIRA. This will activate Mira+HEN to unlock the "Debug Settings" menu. In about 20 seconds you'll get an alert saying "You're all set!", followed by "There is not enough free system memory". This means that everything has gone well. If the system hangs or crashes, see above.

Claims that Mira does not have HEN are false, do not believe them!

This exploit does crash and hang. Sometimes you even have to retry 10 times to get the jailbreak.


:arrow: Sleirsgoevy on porting the toolchain to other PS4 Firmware versions:

Just in case, the checklist to port the toolchain (my implementation of bad_hoist + retargeted shinh/8cc) to another firmware:
  1. If the exploit.js crashes, look at the comments inside it.
  2. The GOT offset, relative to textarea's leaked virtual method, is hardcoded in bad_hoist/memserver/dump_module.py, bad_hoist/dumpers/dump_got.js, and bad_hoist/rop/rop.js. You'll need to replace them with the correct offset.
  3. GOT indices corresponding to specific system modules are hardcoded in bad_hoist/memserver/Makefile and bad_hoist/rop/rop.js. You'll need to change them accordingly.
  4. Offsets to some libc & libkernel functions (relative to the corresponding GOT entries) are hardcoded in bad_hoist/rop/rop.js.
  5. The "pivot gadget" is expected to be mov rsp, [rdi+0x38] ; pop rdi ; ret. You'll need to rewrite the pivot() code if this gadget doesn't exist.
  6. The code expects a specific layout of the register save area utilized by loadall/saveall functions. It is documented in ps4-rop-8cc/ps4/saveall.h. The pivot gadget from above is a part of a proper loadall() function.
Once all of this is fixed, compiling and running ropchains should work, unless some gadgets are missing on 6.20.

Related Tweets:
Unstable...
PS4 Jailbreak 6.72 Stable Release with Payloads Included and Stability Improved
PS1 Emu Test on PS4

Download: Ps1HDemu.rar (3.73 MB) / GIT by Zcor3x / EP0000-SCES02545_00-MEDIEVIL2E000001-A0100-V0100.pkg (596.7 MB by Vitt0x_Lar_YT) via @Vitt0xLar on Twitter / GUI
It's very sad that any new ps2 classic has not been dumped yet, anyway if someone has this games, please dump it so we can get other ps2 emulators. List: Official PS2 Games List to Dump
  • Jak 2
  • Jak 3
  • Jak X
  • Ace Combat 5
  • Red Dead Revolver
  • Primal
  • The Forbidden Siren
  • Art of Fighting Anthology
  • Red Faction 2
  • Harvest Moon Save the Homeland
  • Harvest Moon A Wonderfull Life Special Edition
  • ADK DAMASHII
  • SAMURAI SHOWDOWN VI
  • Ape Escape 2
  • Kinetica
  • Wild Arms 3
  • Okage Shadow of the King
  • Rise of the Kasai
  • Dark Chronicle
  • Star Wars Bounty Hunter
  • Star Wars Racer Revenge
  • Arc The Twilight of the Spirits
  • Dark Cloud
  • Dark Cloud 2
  • The Mark of Kri
  • War of the Monsters
  • The King of Fighters’ Collection The Orochi Saga
Estyren demo - PS1HD emulator on PS4
Full PS4 Jailbreak Tutorial (6.72 or Lower!)
Use the following Ghidra script on a decrypted libkernel_sys.sprx loaded with GhidraOrbis to add mast1c0re support for other firmware versions (Dumps the `***/include/offsets/ps/libkernel/psx/xx.xx.hpp` file)
PS4JB PS4 6.72 Jailbreak Exploit by Sleirsgoevy is Released!.jpg
 

Comments

Pardon the noobish question but I have been away from the scene for almost two years and have been having a hard time deciding whether or not to upgrade to 6.72... I recently pulled my ps4 off the shelf to play some games and after coming back to psxhax i saw that there are exploits for 6.72 and 7.55 now.

I downloaded a few new games that were backported to 5.05 but I'm not able to install the pkg files.. it keeps telling me that i need to update the system software to use external storage.. I also updated to HEN 2.1.4 but i still get that error message.

I've read that I should stay on 5.05 since the newer exploits are not as stable BUT i also read that with 6.72 I can definitely play the newer games that have been released.

Would any of you be able to enlighten me on this topic? Again, my apologies for the noobesque question... Thanks!
 
@djru5h : I was also on 5.05, updated to 6.72 and I do not regret it. I have a PS4 FAT 500GB and the JB is really very stable. I play all games available through backports and no issues until now ;)
 
Thank you @djru5h for asking the same question plaguing me. Its been about 1.5 yrs for me. Still 5.05, I think I may check out the backporting scene before I pull the trigger to go to 6.72. Still a little sketched out by 7.02. Read through the more recent comments and when this same question is asked, the answer is STAY ON 5.05!

@mazinas thank you for your input, I too have the a Phat 500, I thought I read the Phat PS4 was more problematic with the exploit, but it was only 1 comment and honestly could have been for 6.XX-7.55 with all the releases. Very cool stuff in the scene, much appreciation for all who are part.
 
@Dayquil I actually resolved my issue last night.. been filling my hard drive with newer games ever since.. I simply went into the file structure of Leeful's exploit and replaced the hen file 'ps4-hen-vtx.bin' with 'goldhen_1.1_505' then renamed the goldhen file to 'ps4-hen-vtx.bin' and it works... Let me know if you need a step by step...
 
@djru5h, 1st off thanks for the insight and offer to assist. Yeah I need to scour my old sources (hopefully still alive and up to date) for something I can experiment with backporting on... and get an external HDD and/or clean these ghetto games off. I'll give it a shot in the next few, if I run in to a hiccup I will definitely take you up on your generous offer.

Also @vishay, I apologize but I just saw you mentioned goldhen for 5.05, thank you for helping us get back in scene!
 
There is a 'Worksaround controller' option at the bottom of debug settings in ps4 6.72 jailbreak. I was wondering what exactly it does.

I'm actually looking to find a way to use my PS3 arcade stick on my PS4, its not supported by default. Any help would be greatly appreciated.
 
most of the debug options don't have the libs to actually do anything and in fact can brick your console if you try use them so dont bother looking at any options bar pkg installer.

makers of Mira and Hen are working on hiding everything but pkg installer because many dont listen and mess around with it and end up stuck in IDU mode or at best need to reinstall FW.
 
Status
Not open for further replies.
Back
Top