Proceeding the PS5 BDJSDK, John Tornblom's Updates, PS5 ELF Loader, Homebrew PS5SDK (WIP) and PS5 Debug Settings updates comes a PS5 JAR Loader which is a Remote JAR Loader for PlayStation 5 from Hammer-83 on Github that utilizes the previously released BD-J Vulnerability alongside a ps5-versions.elf via SiSTR0 and Portage_PS5Version_Mast1c0re ELFs via logic-68 on Github (aka 68Logic on Twitter) that displays some console version information.
Download: ftp-server-1.0-SNAPSHOT.jar / ps5-jar-loader-1.1.iso (Latest Version) / ps5-jar-loader-main.zip / GIT / PS5 JAR Loader.iso (4.9 MB) via @ifcompass (aka Ifaicompa) / kern_version.jar (0.03 MB) / ps5-jar-loader.iso (16 MB) / ps5-versions.elf (9.65 KB) / GIT via SiSTR0 / PS5VersionMast1c0re.7z (12.1 KB) / Portage_PS5Version_Mast1c0re-main.zip (47.5 KB Each - includes PS5VersionMast1c0re-PS4-10-01.elf, PS5VersionMast1c0re-PS4-5-05.elf, PS5VersionMast1c0re-PS4-6-72.elf, PS5VersionMast1c0re-PS4-9-00.elf and PS5VersionMast1c0re-PS5-6-50.elf) / Portage_PS5Version_Mast1c0re GIT via logic-68 / Source Code by John Tornblom
Spoiler: Depreciated
Here's further details from the README.md: PlayStation 5 Remote JAR Loader
This project uses vulnerabilities discovered in BD-J layer of PS5 firmware version 4.51 and earlier to deploy a loader that is able to listen to JAR files and execute their main class. This makes it easy to burn the BD-R disc with the loader just once and then keep on running new versions of the experimental code. This repository provides all the necessary setup needed to create both the loader BD-R disc filesystem and the JAR to send to the PS5.
Prerequisites
The project comprises the following components:
The following properties in pom.xml can be adjusted before burning the JAR Loader to disk:
Usage
There are so many who decided to share the knowledge with the community to make this project possible. Please see the Credits section in the Webkit PS5 Exploit repo. None of this would be possible without all these contributors. Additionally, big thanks to psxdev and John Tornblom for their work specifically on BD-J.
Changelog:
PS5 JAR Loader v1.1
Added a simple FTP Server payload:
PS5-versions v1.0
Show some version infos of your console. Works with Webkit and BD exploit.
Building
Needs gcc 9 installed.
Credits:
And from the Portage_PS5Version_Mast1c0re README.md via Logic-Sunrise.com: PS5VersionMasterc0re
Simple portage of PS5 Version by SISTRo
Working with the Mast1c0re exploit. PS4/PS5
Credits
Spoiler: Related Tweets & Files
Download: ftp-server-1.0-SNAPSHOT.jar / ps5-jar-loader-1.1.iso (Latest Version) / ps5-jar-loader-main.zip / GIT / PS5 JAR Loader.iso (4.9 MB) via @ifcompass (aka Ifaicompa) / kern_version.jar (0.03 MB) / ps5-jar-loader.iso (16 MB) / ps5-versions.elf (9.65 KB) / GIT via SiSTR0 / PS5VersionMast1c0re.7z (12.1 KB) / Portage_PS5Version_Mast1c0re-main.zip (47.5 KB Each - includes PS5VersionMast1c0re-PS4-10-01.elf, PS5VersionMast1c0re-PS4-5-05.elf, PS5VersionMast1c0re-PS4-6-72.elf, PS5VersionMast1c0re-PS4-9-00.elf and PS5VersionMast1c0re-PS5-6-50.elf) / Portage_PS5Version_Mast1c0re GIT via logic-68 / Source Code by John Tornblom
Spoiler: Depreciated
Here's further details from the README.md: PlayStation 5 Remote JAR Loader
This project uses vulnerabilities discovered in BD-J layer of PS5 firmware version 4.51 and earlier to deploy a loader that is able to listen to JAR files and execute their main class. This makes it easy to burn the BD-R disc with the loader just once and then keep on running new versions of the experimental code. This repository provides all the necessary setup needed to create both the loader BD-R disc filesystem and the JAR to send to the PS5.
Prerequisites
- JDK 11 (PS5 uses Java 11 runtime)
- Apache Maven
- IntelliJ IDEA Community Edition (optional, but recommended)
The project comprises the following components:
- Root pom.xml defines the common properties and Maven plugin configuration for all the projects.
- assembly subproject creates the directory that should be burned to a BD-R disc. I recommend ImgBurn software to do this. Make sure to use the UDF 2.50 filesystem, then simply drag the contents of assembly/target/assembly-[version] directory to in the disc layout editor.
- bdj-tools subproject does not need to be touched. These are the utilities from HD Cookbook, adapted to run on JDK 11 and integrated into the build process of the BD-R disc filesystem.
- stubs subproject contains the build script to download BD-J class files from HD Cookbook and organize them for use with local JDK 11. It's also a place where PS5-specific stub files should be declared so that they can be used in the Xlet and the remote JAR.
- xlet subproject contains the code of the Xlet that starts when BD-R disc is launched on PS5. It simply starts the JAR loader (by default on port 9025).
- xploit subject contains the code to be sent for execution on PS5. The code can reference classes from xlet, such as the Status class to output on screen. The project produces a JAR that is able to send itself for execution.
The following properties in pom.xml can be adjusted before burning the JAR Loader to disk:
- loader.port - Port on which JAR loader will listen for data.
- loader.resolution.width, loader.resolution.height - Screen resolution to set in various files. Not sure how this affects anything, I did not experiment with this enough.
- remote.logger.host - IP address where to echo the messages shown on screen. If blank, remote logging will not be used. This host can also receive binary data, see RemoteLogger#sendBytes.
- remote.logger.port - Port on which remote logger will send the status messages.
- remote.logger.timeout - Number of milliseconds to wait before abandoning attempts to connect to the remote logging host. If host is down after this timeout on the first send attempt, no further tries to do remote logging will be done.
Usage
- Make sure environment variable JAVA_HOME points to the root of JDK 11. Add ${JAVA_HOME}/bin directory to ${PATH}.
- Also make sure that MAVEN_HOME points to the root of Apache Maven installation. Add ${MAVEN_HOME}/bin directory to ${PATH}.
- Execute mvn package from the root of the project. It should produce the following artifacts:
- Directory assembly/target/assembly-[version] contains all the files that should be burned to the BD-R.
- File xploit/target/xploit-[version].jar contains the code that can be sent repeatedly to the PS5 once the loader is deployed.
- IMPORTANT: Maven-compiler-plugin has a bug that causes an NPE if unpatched. Execution of step #3 will likely fail on the first run. To fix the issue, replace the plugin in your local Maven repository with the patched version located in lib. Normally the replacement goes to ${HOME}/.m2/repository/org/apache/maven/plugins/maven-compiler-plugin/3.10.1.
- Burn the BD-R (better yet BD-RE), then insert it into the PS5 and launch.
- A message on screen should inform about loader waiting for JAR.
- Send the JAR using the command: java --add-opens java.base/jdk.internal.loader=ALL-UNNAMED -jar xploit/target/xploit-[version].jar <ps5 ip address> [<ps5 port]. PS5 should inform on screen about status of the upload and the execution.
- Once execution is complete, the loader will wait for a new JAR. Do the necessary modifications in xploit project, recompile using mvn package and re-execute #7 to retry.
- To use with IntelliJ, simply point File -> Open dialog to the root of the project.
- If any of POMs are modified, it's necessary to do Maven -> Reload Project in IntelliJ to sync the project files. Syncing Maven project unfortunately modifies .idea/compiler.xml to contain absolute system paths. Simply replace those with $PROJECT_DIR$ macro again.
- Project should be built once from command-line before attempting to open in IntelliJ. This is so that bdjstack JARs are downloaded.
- Javadoc plugin is integrated into the build, but it is bound to the verify phase so that package phase is not slowed down. To generate the Javadoc, use mvn verify instead of mvn package.
- If you prefer Maven not to rescan all the subprojects for changes (it's a few seconds at most), use mvn install to put all the artifacts into your local maven repo. Then run all mvn package commands from xploit directory rather than from the root of the project.
There are so many who decided to share the knowledge with the community to make this project possible. Please see the Credits section in the Webkit PS5 Exploit repo. None of this would be possible without all these contributors. Additionally, big thanks to psxdev and John Tornblom for their work specifically on BD-J.
Changelog:
PS5 JAR Loader v1.1
Added a simple FTP Server payload:
- Compile the project and burn the contents of assembly/target/assembly-1.0-SNAPSHOT to BD-RE. Pre-compiled ISO is also provided.
- Send the FTP Server payload to the JAR Loader: java -jar ftp-server-1.0-SNAPHSOT.jar <PS5 IP>
- Login to the FTP server with username ps5jb and no password on port 9225.
- Stable release of the JAR loader
PS5-versions v1.0
Show some version infos of your console. Works with Webkit and BD exploit.
Building
Needs gcc 9 installed.
Credits:
And from the Portage_PS5Version_Mast1c0re README.md via Logic-Sunrise.com: PS5VersionMasterc0re
Simple portage of PS5 Version by SISTRo
Working with the Mast1c0re exploit. PS4/PS5
Credits
- [SISTRo] (SiSTR0) for Version PS5
- notzecoxao
- McCaulay Hudson
- Ubuntu 22.10 Make
Spoiler: Related Tweets & Files