Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
Proceeding the PS5 BD-JB ELF Loader v1.2 revision, 'twas the night before Christmas and based on John Tornblom's continued Github Repository updates @ifcompass (Ifaicompa via Twitter) made available a system-mount.elf R/W payload to Read / Write to PlayStation 5's /system partition for those in the PS5Scene using the previously released PS5 IPV6 Kernel Exploit. :geek:

Ifaicompa notes the following details on Twitter, to quote:

(❁´◡`❁) Merry Christmas everyone
⭐ This payload will Remount /system with write permissions
⭐ It can only be loaded via the BD-JB ELF Loader!
⭐After loading, load FTPS5 via Webkit, FTP will have system R/W
🫡 Thanks John Tornblom

⚠️ Warning: If you delete files in /system at will, it may cause PS5 to become a brick! ⚠️

:idea: For those who prefer visual explanations: FAFO :alert:
From nmount PS5 system rw source from decompiler
__int64 __fastcall _payload_base(_QWORD *arrayPointer, unsigned int *lengthPointer, __int64 string1, __int64 string2)
  __int64 functionResult; // rax
  _QWORD *str1Ptr; // rbx
  __int64 strdupStr2; // rax
  __int64 strlenStr2; // rax
  int v10; // [rsp+2Ch] [rbp-14h]
  int v11; // [rsp+2Ch] [rbp-14h]

  functionResult = *lengthPointer;
  if ( (int)functionResult >= 0 )
    v10 = *lengthPointer;
    *arrayPointer = realloc(*arrayPointer, 16LL * (int)(*lengthPointer + 2));
    if ( *arrayPointer )
      str1Ptr = (_QWORD *)(*arrayPointer + 16LL * v10);
      *str1Ptr = strdup(string1);
      *(_QWORD *)(*arrayPointer + 16LL * v10 + 8) = strlen(string1) + 1;
      v11 = v10 + 1;
      if ( string2 )
        strdupStr2 = strdup(string2);
        strdupStr2 = 0LL;
      *(_QWORD *)(*arrayPointer + 16LL * v11) = strdupStr2;
      if ( string2 )
        strlenStr2 = strlen(string2) + 1;
        strlenStr2 = 0LL;
      *(_QWORD *)(*arrayPointer + 16LL * v11 + 8) = strlenStr2;
      functionResult = (__int64)lengthPointer;
      *lengthPointer = v11 + 1;
      *lengthPointer = -1;
      return perror("realloc");
  return functionResult;

int __cdecl main(int argc, const char **argv, const char **envp)
  unsigned int v4; // [rsp+4h] [rbp-Ch] BYREF
  __int64 v5; // [rsp+8h] [rbp-8h] BYREF

  v5 = 0LL;
  v4 = 0;
  _payload_base(&v5, &v4, (__int64)"fstype", (__int64)"exfatfs");
  _payload_base(&v5, &v4, (__int64)"fspath", (__int64)"/system");
  _payload_base(&v5, &v4, (__int64)"from", (__int64)"/dev/ssd0.system");
  _payload_base(&v5, &v4, (__int64)"large", (__int64)"yes");
  _payload_base(&v5, &v4, (__int64)"timezone", (__int64)"static");
  _payload_base(&v5, &v4, (__int64)"async", 0LL);
  _payload_base(&v5, &v4, (__int64)"ignoreacl", 0LL);
  if ( !(unsigned int)nmount(v5, v4, 0x10000LL) )
    return 0;
  return 1;
Mr. Nasu, who made a payload that enables writing of the PS5 system, seems to be making a payload that can read and write not only the system but all layers. Thankfully I am a tester.
PS5 System-Mount.elf Payload Read Write to PlayStation 5 System Partition.jpg