This project uses vulnerabilities discovered in BD-J layer of PS5 firmware version 7.61 and earlier to deploy a loader that is able to listen to JAR files and execute their main class. This makes it easy to burn the BD-R disc with the loader just once and then keep on running new versions of the experimental code. This repository provides all the necessary setup needed to create both the loader BD-R disc filesystem and the JAR to send to the PS5.
java -jar [jarfile].jar [ip] [host]
.The project comprises the following components:
pom.xml
defines the common properties and Maven plugin configuration for all the projects.assembly
subproject creates the directory that should be burned to a BD-R disc. I recommend ImgBurn
software to do this. Make sure to use the UDF 2.50 filesystem, then simply drag the contents of assembly/target/assembly-[version]
directory to in the disc layout editor.bdj-tools
subproject does not need to be touched. These are the utilities from HD Cookbook, adapted to run on JDK 11 and integrated into the build process of the BD-R disc filesystem.stubs
subproject contains the build script to download BD-J class files from HD Cookbook and organize them for use with local JDK 11. It's also a place where PS5-specific stub files should be declared so that they can be used in the Xlet and the remote JAR.sdk
subproject contains helper classes that simplify native invocation in the executed code. The classes in this module are embedded in the final JAR that will be sent to PS5 for execution.xlet
subproject contains the code of the Xlet that starts when BD-R disc is launched on PS5. It simply starts the JAR loader (by default on port 9025).xploit
subproject contains various payloads to be sent for execution on PS5. Each payload is a submodule of xploit
module and produces its own JAR file. The code in the JAR can reference classes from xlet
, such as the Status class to output on screen.
jar
- Utility classes for interacting with the JAR Loader. It is not a payload per-se but is packaged in every payload JAR to handle the hand-off from the JAR loader to payload's run
method.umtx/umtx1
- Implementation of UMTX exploit to obtain kernel read/write capabilities. Note that starting with firmware 6.00, kernel data segment is protected from writes.umtx/umtx2
- Alternative implementation of UMTX exploit.byepervisor
- Implementation of Byepervisor exploit, which enables bypassing of PS5 hypervisor to obtain kernel code read/write capabilities on firmware below 3.00.kerneldump
- In combination with UMTX and/or Byepervisor, this payload sends the dump of kernel over network.ftpserver
- Limited FTP server.samples
- Various trivial samples to demonstrate various capabilities of BD-J platform.The following properties in xlet/pom.xml can be adjusted before compiling and burning the JAR Loader to disk:
loader.port
- Port on which JAR loader will listen for data.loader.resolution.width
, loader.resolution.height
- Screen resolution to set in various files. Not sure how this affects anything, I did not experiment with this enough.loader.logger.host
- IP address where to echo the messages shown on screen. If blank, remote logging will not be used. This host can also receive binary data, see RemoteLogger#sendBytes.loader.logger.port
- Port on which remote logger will send the status messages.loader.logger.timeout
- Number of milliseconds to wait before abandoning attempts to connect to the remote logging host. If host is down after this timeout on the first send attempt, no further tries to do remote logging will be done.Either modify the POM directly, or pass the new values from command line, example: mvn clean package -Dloader.port=9025 -loader.logger.host=192.168.1.100
. To listen for messages on the remote machine when remote logger is activated, use socat udp-recv:[remote.logger.port] stdout
.
Even if the remote logger is not active by default in the Xlet burned on disc, it is possible to change the remote server configuration using one of the two approaches:
xploit.logger.host
and optionally xploit.logger.port
properties when compiling the JAR. These can be set in xploit/pom.xml or on command line mvn clean package -Dxploit.logger.host=192.168.1.110
.JAVA_HOME
points to the root of JDK 11. Add ${JAVA_HOME}/bin
directory to ${PATH}
.MAVEN_HOME
points to the root of Apache Maven installation. Add ${MAVEN_HOME}/bin
directory to ${PATH}
.pom.xml
of the new payload, set artifactId
of parent to "xploit", set groupId
of the module to "org.ps5jb.xploit" and set artifactId
of the module to the name of your payload.pom.xml
, set the property xploit.payload
to the name of the class above. If the class was created in a subpackage, then fully qualified name of the class is required. Otherwise, simly specify the name of the class without the package.mvn clean package
from the root of the project. It should produce the following artifacts:
assembly/target/assembly-[version]
contains all the files that should be burned to a BD-R disc.xploit/[payload]/target/[payload]-[version].jar
contains the code that can be sent repeatedly to the PS5 once the loader is deployed.java -jar xploit/target/xploit-[version].jar <ps5 ip address>`
PS5 should inform on screen about the status of the upload and the execution.
xploit
project, recompile using mvn package
and re-execute step 8 to retry as many times as necessary.File -> Open
dialog to the root of the project. Maven import will occur. Then follow manual steps in IntelliJ Project Structure to adjust the dependencies so that IntelliJ sees BD-J classes ahead of JDK classes.Maven -> Reload Project
in IntelliJ to sync the project files.mvn verify
rather than mvn package
. The Javadocs are enabled for sdk, xlet and xploit modules and are generated in the target/site/apidocs
directory of each module.mvn test
. Though note that not many unit tests are currently present since a lot of functionality is PS5 dependent.xploit
JAR does not have PS5 specific dependencies, it can be tested locally. The important part is to have xlet
, stubs
and xploit
JARs all in the same folder. If the payload refers to GEM, BD-J or Java TV API, the corresponding JAR files generated in lib directory should also be present in the same folder. Maven build automatically creates this arrangement in target
directory of each payload so the command to run the payload on development machine is very similar to the one that sends the JAR to PS5:
java -jar xploit/[payload]/target/[payload]-[version].jar
When running locally, the Status
class prints to standard output/error, rather than on Screen
.
xlet
version is independent and will only be incremented when new disc needs to be burned with the updated JAR loader classes. If the PS5 shows a version different from the one produced by the code of this repo, payloads are not guaranteed to be compatible, so it's best to burn a new loader disc. This version is not expected to be incremented often as the loader is pretty stable. To increment this version, change the value of xlet.version
property in pom.xml.mvn versions:set -DnewVersion=[version]
, then refreshing the IntelliJ Maven project as described in bullet point number 2.IntelliJ Maven project files are located in a private local folder of IntelliJ. Initial opening and the following reloads of the Maven project incorrectly import some of the settings. In particular, BD-J stack JARs are completely ignored or are imported with a wrong scope. Unfortunately, due to this fact, the following steps need to be performed every time a Maven project reload occurs:
$PROJECT_DIR$
macro again.Project Structure
window and switch to Modules
tab. Go through every module and make sure that the modules bdj-api
, javatv-api
and gem-api
have "Provided" scope.+ (Add) -> Library
button and add bdjstack
library dependency. Make sure it is moved in the top position above SDK 11 entry. This setting used to be commited to version control and could be simply reverted, but in recent updates, it has to be performed every time. There are so many who decided to share the knowledge with the community to make this project possible.
Sample BD-J payloads in this repositories are adaptations of the following work: