ps5 released ps5 jar loader v2.0.0

A new update for PS5 JAR Loader is published, the tool exploits vulnerabilities in the BD-Jlevel of the PS5

firmwareup to version 7.61. This loader you to runJAR files on the console by running their main class.

This simplifies the burning of the BD-R disc with the charger only once and thus the ability to run new versions of the experimental code.

The update has reached a stable state on version 1.02 of the firmware, with the control returning to the JAR loader after UMTX is run, allowing other payloads with permanent read/write access to the kernel.

Corrections have been implemented for the vmspace, improving stability, and the allproc address and information to defeat KASLR have been printed.

Some improvements, such as the descriptor file spray, were added based on external advice, although not tested on 3.xx firmware.

The UMTX payload should install a permanent read/write access to the kernel and allow additional payloads, such as jailbreak (still in the works).

Among the problems encountered, once BD-J is out of the sandbox, the JVM cannot find some classes in the /app0 path, making a reverse engineering job necessary to solve the problem.

The stability is not yet perfect, with possible kernel panics after a certain period and frequent crashes of the BD-J process.

Prerequisites

• JDK 11 (PS5 uses Java 11 as runtime).
• The Apache Maven.
• IntelliJ IDEA Community Edition (optional, but recommended).

Structure

The project consists of the following components:

• The file pom.xmlDefines the common properties and configuration of the Maven plugin for all projects.
• The sub-project assemblycreate the directory that needs to be burned to a BD-R disk.
• The sub-project bdj-toolsdoes not need to be edited and contains utilities from HD Cookbook built into the BD-R disk filesystem compilation process.
• The sub-project stubscontains the build script to download BD-J-class files from HD Cookbook and arrange them for use with local JDK 11.
• The subproject sdkcontains support classes that simplify native invocation in the executed code.
• The sub-project xletIt contains the code of the Xlet that starts when the BD-R disk is launched on the PS5.
• The sub-project xploitcontains the code to be sent to run on the PS5.

Configuration

The following properties in pom.xmlcan be edited before compiling and burning the JAR Loader to disk:

• loader.port– Door on which the JAR charger will listen to the data.
• loader.resolution.width, loader.resolution.height– Resolution of the screen to be set in various files.
• remote.logger.host– IP address where to display the messages shown on the screen.
• remote.logger.port– Door on which the remote logger will send the status messages.
• remote.logger.timeout– Number of milliseconds to wait before stopping attempts to connect to the remote logger.

Use

1. Ensure that the environment variable JAVA_HOMEpoints at the root of JDK 11. Add the directory ${JAVA_HOME}/bina ${PATH}. .
2. Also make sure that MAVEN_HOMERoot points of Apache Maven installation. Add the directory ${MAVEN_HOME}/bina ${PATH}. .
3. Create a payload to run on PS5 by adding implementation to the sub-module xploit. . You do not need to edit any existing files (even if you are welcome if you wish). Simply add the payload class in the org.ps5jb.client.payloads package and specify its name as the parameter when compiling the project (see next step).
4. Performmvn clean package -Dxploit.payload=[payload classname]from the root of the project. It should produce the following artifacts:
   • The directory assembly/target/assembly-[version]contains all the files that need to be burned on the BD-R.
   • The file xploit/target/xploit-[version].jarcontains the code that can be sent repeatedly to the PS5 once the charger is deployed. To avoid having to specify the payload with a switch each time -D(also at step 8), you can also change the property xploit.payloadin the pom.xml of the xploit project.
5. Burn the BD-R disc (better still BD-RE), then insert it into the PS5 and start “PS5 JAR Loader” from Media/Disc Player.
6. A message on the screen should inform the charger waiting for the JAR.
7. Send the JAR file using the command: java -jar xploit/target/xploit-[version].jar <ps5 ip address>`. . The PS5 should inform the screen about the status of the load and execution.
8. Once the execution is complete, the loader will wait for a new JAR file. Make the necessary changes to the project xploit, recompile using mvn packageand re-reform the step of 7 to try again as many times as necessary.

Notes

1. To use it with IntelliJ, just point the dialog File -> Openat the root of the project.
2. If one of the POMs is modified, you need to run Maven -> Reload Projectin IntelliJ to synchronize project files. The synchronization of the Maven project unfortunately modifies .idea/compiler.xml to contain absolute system paths. Simply replace them again with the macro $PROJECT_DIR$. . IntelliJ also modifies the module class paths defined in various files *.iml. . These changes should also be largely undone.
3. To generate Javadoc, use mvn verifyrather than a mvn package. . Javadoc are enabled for sdk, xlet and xploit modules and are generated in the folder target/site/apidocsof each module.
4. The JAR in the module xploitaccess some internal classes of the JDK through reflection. This involves warnings that can be safely ignored. To turn off alerts, add the following option after the executable javaWhen sending the JAR: --add-opens java.base/jdk.internal.loader=ALL-UNNAMED. .
5. Whether the file JAR of xploithas no PS5 specific dependencies, can be tested locally. The important thing is that xlet, the stuband the JARs of xploitThey’re all in the same folder. Maven automatically creates this arrangement in the folder xploit/target, so the command is very similar to the one that sends the JAR file to the PS5: java -jar xploit/target/xploit-[version].jar. . When performed locally, the class Statusprint on standard output/error, instead of on Screen. .
6. Currently there are two separate version numbers used by the project:
   • The version xletIt is independent and is only incremented when you need to burn a new disk with the updated JAR classes of the charger. If the PS5 shows a different version from the code produced by this project’s code, the payload compatibility is not guaranteed, so it is best to burn a new loader disc. This version is not expected to be incremented often, as the charger is rather stable. To increase this version, change the value of the property xlet.versionin pom.xml.
   • The rest of the modules use the POM parent version. This version will be increased with the new release and reflects that the SDK or payloads have changed. If the loader version remains unchanged, new payload versions can be sent to the JAR charger without having to burn the disc again. This version can be increased by executing mvn versions:set -DnewVersion=[version], then updating the IntelliJ Maven project as described in step 2.

Changelog

Framework for permanent read/write access to the kernel.

Note: Previous versions of the JAR loader will not run JAR compiled with this version.

Passages: passages:

1. Fill in the project and burn the contents of the folder assembly/target/assembly-2.0.0on a BD-RE record. A pre-compiled ISO is also available. Optionally, fill in with the parameter -Dremote.logger.host=[IP del server di logging]to view on-screen output on a remote host.
2. Insert the disc into the PS5 and run the JAR Loader.
3. Send a payload: java -jar <payload.jar> <IP della PS5>. .

Examples:

• FTP server (in sandbox mode).
• Example of a tennis mini-game.
• Printing of system properties.
• JVM classpath’s current classpath dump, including the java.base(may not work on all
• Implementations of the UMTX bug of flat?z and Cryptogenic, adapted to this SDK. Note that stability is not guaranteed, and crashes of the BD-J process or any kernel panics are expected. Some post-exploitation steps are currently implemented only on firmware 1.02 and the exploit may not work at all on firmware 3.xx+.

Download: PS5 JAR Loader v2.0

Download: dumpclasspath-1.0-SNAPSHOT.jar

Download: ftpserver-1.0-SNAPSHOT.jar

Download: minitennis-1.0-SNAPSHOT.jar

Download: printsysprops-1.0-SNAPSHOT.jar

Download: umtx-bug-1.0-SNAPSHOT.jar

Download: Source code PS5 JAR Loader v2.0

Source: github.com