PS5 Jar Loader (For Firmwares 7.61 and below) updated
What is PS5 JAR Loader
From the Readme:
This project uses vulnerabilities discovered in BD-J layer of PS5 firmware version 7.61 and earlier to deploy a loader that is able to listen to JAR files and execute their main class. This makes it easy to burn the BD-R disc with the loader just once and then keep on running new versions of the experimental code. This repository provides all the necessary setup needed to create both the loader BD-R disc filesystem and the JAR to send to the PS5.
What is BD-JB
The BD-JB exploit is a usermode exploit chain on the PS5 that allows unsigned code execution. It was initially known to run up to Firmware 4.51 (included) only. But hacker TheFloW, the man behind the original release, has updated the exploit chain with a new path traversal flaw, which allowed to “revive” the exploit up to Firmware 7.61 included. Although this is only a usermode exploit (it needs to be coupled with a Kernel exploit for an actual console Jailbreak, such a kernel exploit is currently only publicly known up to Firmware 4.51), it allows some experimentation with the PS5 for tinkerers, and could potentially open the console for more if a kernel exploit is ever found for these higher firmwares.
Since BD-JB relies on vulnerabilities in the Blu-Ray layer of the PS5, it requires to burn BD Discs to run the code. PS5 JAR Loader makes it so that only one disc needs to be created (the one with JAR Loader), which will in return be able to load and run more payloads at runtime, sent via a TCP connection.
PS5 JAR Loader – What’s new
This latest update off PS5 JAR Loader brings the following changes:
- Add sdk to help with native code execution in remote JARs. Far from complete, needs more mappings.
- JarLoader now reads the remote JAR manifest to determine which payload class to execute.
- Added 3 sample payloads: list system properties, list directories from root using native direent API and a dumper of class files from Java VM.
- JAR loader now includes a generic SockerListener class which can be used for any network communication between remote JAR and the PC. Class dumper payload uses it for example to send back the class files.
- IntelliJ project converted to explicit IMLs for better or worse (this method is considered deprecated). But it allows better classpath control when project is refreshed from Maven.
- Versions are split between JAR loader and the rest of the project. This allows to release new SDK versions without needing to re-burn the loader.
- JAR loader version is now displayed on PS5.
- Made changes to make it possible to run remote JARs on a local development machine for testing. For example, class dumper can work just as well to dump local JVM classpath.
- RemoteLogger no longer crashes attempting to send a UDP packet that is too large.
Download and use PS5 JAR Loader
To restate, in order to test this tool, you need a Disc edition PS5 on firmware 7.61 or below. Digital edition will not work since this requires a Blu-Ray.
The exploit needs to be burned onto a Blu-Ray disc. You can find Blu Ray burners for reasonably cheap on Amazon and other retailers (make sure they support BD-RE and Dual Layer DL). TheFloW has specified in the past that he used Rewritable Verbatim discs (BD-RE) in his own tests. (affiliate links).