TheFlow0's BD-JB Sandbox Escape, PS4 13.00 / PS5 12.00 Kernel Exploit & PS5 PUP Unpacker / Decrypt via Zecoxao

As previously announced, today Security Engineer Andy Nguyen (aka theflow0) spoke at Hexacon 2022 discussing his BD-JB: Blu-ray Disc Java Sandbox Escape (PDF) for PS4 / PS5 presented previously at this year's HardWear.io conference prior to disclosing PS5 Kernel Access via PS4 Exploit and the PS4 / PS5 exFAT Vulnerability last month.

Update: In related news theflow0 recently announced on X the disclosure of a Blu-ray Disc Java Sandbox Escape via Two Vulnerabilities Kernel Exploit, with ExploitNetControlImpl.java code available via TheOfficialFloW's Github repository, confirming to quote: "RIP, my PlayStation exploit died. ExploitNetControlImpl.java Works upto PS4 13.00 and PS5 12.00. Patched on PS4 13.02 and PS5 12.02."

Previous Article:

Abstract

WebKit has been exploited in the past in order to have a userland entry point, the initial foothold, on the PS4. Though, porting such an exploit to the PS5 is challenging as the PS5’s AMD CPU newly supports eXecute-Only-Memory (XOM) which prevents the attacker from reading the .text segment. That basically makes it impossible to find addresses of functions, syscalls, and ROP gadgets. In this talk, Andy Nguyen presents a new attack vector and a firmware-agnostic and ROP-less exploit to achieve native code execution on the PS4 and PS5.

Beyond new images shared among the Tweets below, it doesn't appear TheOfficialFloW's Github Repositories have been updated recently nor has a video of today's presentation surfaced yet (added below!), however, those in the PlayStation 5 Scene can check out a PS5 PUP Unpacker and PS5 PUP Decrypt utility via @zecoxao on Twitter with reverse-engineering help from LemonHaze420_ among others detailed below.

Download: ps5-pup-unpacker.7z (1.17 MB) / ps5-pup-unpacker-master.zip / PS5 PUP Unpacker GIT / ps5-pup-decrypt-master.zip / PS5 PUP Decrypt GIT / Zecoxao's Ko-fi Page

• Decrypted PS5 Firmware PUPs
  • pups
    • 300_update1.pup.dec
    • 300_update2.pup.dec
    • 310_update1.pup.dec
    • 310_update2.pup.dec
    • 320_update1.pup.dec
    • 403_update1.pup.dec
    • 450_update1.pup.dec
    • 451_update1.pup.dec
  
  
• Decrypted PS5 Firmware PUPs (Cont'd)
  • pups
    • 300_update1.pup.dec
    • 300_update2.pup.dec
    • 310_update1.pup.dec
    • 310_update2.pup.dec
    • 320_update1.pup.dec
    • 400_update1.pup.dec
    • 402_update1.pup.dec
    • 403_update1.pup.dec
    • 450_update1.pup.dec
    • 451_update1.pup.dec
    • 500_update1.pup.dec
    • 502_update1.pup.dec
    • 510_update1.pup.dec
    • 550_update1.pup.dec
    • 600_update1.pup.dec
    • 601_update1.pup.dec
    • 602_update1.pup.dec
    • 650_update1.pup.dec
    • 700_update1.pup.dec
    • 701_update1.pup.dec
    • 720_update1.pup.dec
    • 740_update1.pup.dec
    • 760_update1.pup.dec
    • 761_update1.pup.dec
  
  
• Matrix Demo on PS5 Map / Videos
  • frosty
    
    • chase.mp4
    • frosty-ps5.part1.rar
    • frosty-ps5.part2.rar
    • frosty-ps5.utoc
    • global.ucas
    • global.utoc
    • logo_vid_hevc.mp4
    • sandbox.mp4
    • wu_vid_0010_hevc.mp4
    • wu_vid_0030_hevc.mp4
    • wu_vid_0070_hevc.mp4
    • wu_vid_0070_subs.json
    • wu_vid_0130_hevc.mp4
    • wu_vid_0130_subs.json
    • wu_vid_0260_hevc.mp4
    • wu_vid_0260_subs.json

This PlayStation 5 PUP Unpacker (based on IDC's PS4 PUP_Unpack, Rewritten by Zer0xFF) comes following the previously released PS5 PUP Info Python Scripts, PS5UPDATE.PUP Unpacked alongside confirmation via notzecoxao on Twitter that BLSUnpack also handles PS5 PUPs... from the PS5 PUP Unpacker README.md: pup_unpacker

A utility to unpack PS5 update blobs that have been previously decrypted using pup_decrypt. this is based on idc/ps4-pup_unpack rewritten with C++ and runs on Linux/OSX/Win32

Note

This utility will not unpack the contents of nested filesystems. The filesystem images in updates are FAT32, exFAT, etc images and can be mounted or unpacked with other tools (for example 7zip with Formats exFAT).

To Build

cmake .
make

And from the PS5 PUP Decrypt README.md: PS5-PUP-Decrypt

PS5 pup decrypt by asking nicely PS5 to do it.

Credits

• SpecterDev: for *** files
• LeGend: for assistance on testing
• Scene-Collective/l0lhax/idc: for original code
• Anonymous: For help in getting the required coolstuff to reverse the protocol
• LemonHaze: For RE help

Usage

Place your PS5 update file in /mnt/usb0/safe.PS5UPDATE.PUP (this is root of your pendrive, file safe.PS5UPDATE.PUP)

Plug the pendrive to the PS5.

Let it do its thing ( warning: this requires elevated privileges for most packages!)

Either one or two files will be produced (PS5UPDATE1.PUP.dec and PS5UPDATE2.PUP.dec) depending on what file you have (sys or recovery)

Requirements

Ubuntu 20.04 with gcc (or WSL alternative)

make

Spoiler: Related Files, Tweets & Videos

HEXACON2022 - bd-jb: Blu-ray Disc Sandbox Escape by Andy Nguyen

 

[beavisx]

I’ve owned a ps5 slim since launch and never connected it to the internet just waiting for someway to jailbreak it. Since my bluray drive wasn’t active I couldn’t use any of the jailbreaks until now. I’m happy the wait is over. Can’t wait to see development push the limits of the system with homebrew.

 

[lawlietl4]

Now this is exciting, soon we will have the latest playstation console to play around with see just what the limits of its hardware is

 

[Dark Pikachu]

Hello everyone, I have a ps5 with reader since its release, I'm in 11.20, I hope the jailbreak will be able to evolve under this firmware.

I also just bought two days ago a ps5 pro in 9.05 that will serve with Y2JB, I'll start tomorrow morning

The PS5 scene is boiling and it's nice. Have a good weekend everyone.

 

[ernestico911]

my ps5 is in 12.20 version, i forgot to block the updates and now i have to wait a litle more, but i have my fingers cross for my ps4 in 12.52 version.

 

[dashnim]

I hope by the end of the year we will get a good ending to the jailbreak scenes for ps4, and we will get at least a jailbreak for 12.50 and 12.52, maybe a bd jb version or atleast a psfree version of it.

So many things to await for so little time, but hopefully in the end the await will be worth it enough that a man will be happy. For what its worth im still waiting for the jaibreak to pop up but its going on a good pace by following the news and everything.

 

[dokapp]

so happy i didnt update my ps5 in forever - finally its jailbreak time!

 

[ULTIMATE GAMING]

Finally my FW can jailbreak, mistakenly updated to 13.00, I felt so bad but now it will possible.

 

[intensepsx3]

Hey! I'm following the scene since the beginning. never seen this excitement. maybe Christmas time good for 12.02 to come?

Just rewatched TheFlow0’s HEXACON video about the BD-JB sandbox escape - it’s wild to think that when he first dropped that talk in 2022, the whole Blu-ray disc Java exploit thing sounded super futuristic. Back then, everyone was guessing if it might lead to a full public PS5 jailbreak.

This new kernel exploit for PS5 has hyped, it kinda feels like being back in the old PS4 jailbreak firstdays! Been modding since my PS4 - so I’m not a total noob, but there’s always someone like TheFlow0 that came through with the BD-JB stuff, but what really made me sit up was seeing the Y2JB!

I’ve been lurking watching everyone exhited, which would keep the scene to this level. If you keep this pace, I bet we see new tools before Christmas, or early next year. do not to update your system and just chill for a bit.

 

[Mktrilogy]

not complaining, there are a lot of approaches right now to jb. the webkit still is the best for me.

 

[LoveyGoo]

Really cool , I hope one day we will be able to play online atleast on the ps4 for a start