hammer-83 / ps5-jar-loader

Remote JAR Loader for PS5, using BD-J vulnerability
67 stars 8 forks source link

PlayStation 5 Remote JAR Loader

This project uses vulnerabilities discovered in BD-J layer of PS5 firmware version 7.61 and earlier to deploy a loader that is able to listen to JAR files and execute their main class. This makes it easy to burn the BD-R disc with the loader just once and then keep on running new versions of the experimental code. This repository provides all the necessary setup needed to create both the loader BD-R disc filesystem and the JAR to send to the PS5.

Quickstart

  1. Download the JAR Loader ISO release.
  2. Burn it to a BD-R(E) disc and run it from the PS5 "Media" tab.
  3. Download one of the pre-compiled JARs or compile your own by reading the steps below.
  4. Send the JAR to the JAR Loader using NetCat, or using the JAR file itself, if the machine has Java installed: java -jar [jarfile].jar [ip] [host].

Prerequisites

Structure

The project comprises the following components:

Configuration

The following properties in xlet/pom.xml can be adjusted before compiling and burning the JAR Loader to disk:

Either modify the POM directly, or pass the new values from command line, example: mvn clean package -Dloader.port=9025 -loader.logger.host=192.168.1.100. To listen for messages on the remote machine when remote logger is activated, use socat udp-recv:[remote.logger.port] stdout.

Even if the remote logger is not active by default in the Xlet burned on disc, it is possible to change the remote server configuration using one of the two approaches:

  1. Specify xploit.logger.host and optionally xploit.logger.port properties when compiling the JAR. These can be set in xploit/pom.xml or on command line mvn clean package -Dxploit.logger.host=192.168.1.110.
  2. Programmatically in the JAR payload by calling Status#resetLogger.

Usage

  1. Make sure environment variable JAVA_HOME points to the root of JDK 11. Add ${JAVA_HOME}/bin directory to ${PATH}.
  2. Also make sure that MAVEN_HOME points to the root of Apache Maven installation. Add ${MAVEN_HOME}/bin directory to ${PATH}.
  3. To create the payload follow these steps:
    • Make a copy of one of the sample payloads by copying the whole directory and placing it in xploit directory.
    • In pom.xml of the new payload, set artifactId of parent to "xploit", set groupId of the module to "org.ps5jb.xploit" and set artifactId of the module to the name of your payload.
    • Create a class implementing "Runnable" interface in the "org.ps5jb.client.payloads" package of the new module. The code inside "run" method will be the entry point of the payload.
    • Back in pom.xml, set the property xploit.payload to the name of the class above. If the class was created in a subpackage, then fully qualified name of the class is required. Otherwise, simly specify the name of the class without the package.
  4. Execute mvn clean package from the root of the project. It should produce the following artifacts:
    • Directory assembly/target/assembly-[version] contains all the files that should be burned to a BD-R disc.
    • File xploit/[payload]/target/[payload]-[version].jar contains the code that can be sent repeatedly to the PS5 once the loader is deployed.
  5. Burn the BD-R (better yet BD-RE) with the contents from the directory mentioned in the step 4a. Note that re-burning the JAR loader disc is only necessary when the source of xlet or assembly modules is changed.
  6. Insert the disc into the PS5 and launch "PS5 JAR Loader" from Media / Disc Player.
  7. A message on screen should inform about loader waiting for JAR.
  8. Send the JAR using the command:
    java -jar xploit/target/xploit-[version].jar <ps5 ip address>`

    PS5 should inform on screen about the status of the upload and the execution.

  9. Once execution is complete, the loader will wait for a new JAR. Do the necessary modifications in xploit project, recompile using mvn package and re-execute step 8 to retry as many times as necessary.

Notes

  1. To use with IntelliJ, point File -> Open dialog to the root of the project. Maven import will occur. Then follow manual steps in IntelliJ Project Structure to adjust the dependencies so that IntelliJ sees BD-J classes ahead of JDK classes.
  2. If any of POMs are modified, it's necessary to do Maven -> Reload Project in IntelliJ to sync the project files.
  3. To generate Javadocs, use mvn verify rather than mvn package. The Javadocs are enabled for sdk, xlet and xploit modules and are generated in the target/site/apidocs directory of each module.
  4. To run unit tests, use mvn test. Though note that not many unit tests are currently present since a lot of functionality is PS5 dependent.
  5. If the xploit JAR does not have PS5 specific dependencies, it can be tested locally. The important part is to have xlet, stubs and xploit JARs all in the same folder. If the payload refers to GEM, BD-J or Java TV API, the corresponding JAR files generated in lib directory should also be present in the same folder. Maven build automatically creates this arrangement in target directory of each payload so the command to run the payload on development machine is very similar to the one that sends the JAR to PS5:
    java -jar xploit/[payload]/target/[payload]-[version].jar

    When running locally, the Status class prints to standard output/error, rather than on Screen.

  6. There are currently two separate version numbers in use by the project:
    • The xlet version is independent and will only be incremented when new disc needs to be burned with the updated JAR loader classes. If the PS5 shows a version different from the one produced by the code of this repo, payloads are not guaranteed to be compatible, so it's best to burn a new loader disc. This version is not expected to be incremented often as the loader is pretty stable. To increment this version, change the value of xlet.version property in pom.xml.
    • The rest of the modules use the version from the parent POM. This version will be incremented with the new release and reflects that either the SDK or the payloads have changed. If the loader version remained the same, these new versions of payloads can still be sent to the JAR loader without re-burning the disc. This version can be incremented by executing mvn versions:set -DnewVersion=[version], then refreshing the IntelliJ Maven project as described in bullet point number 2.

IntelliJ Project Structure

IntelliJ Maven project files are located in a private local folder of IntelliJ. Initial opening and the following reloads of the Maven project incorrectly import some of the settings. In particular, BD-J stack JARs are completely ignored or are imported with a wrong scope. Unfortunately, due to this fact, the following steps need to be performed every time a Maven project reload occurs:

Credits

There are so many who decided to share the knowledge with the community to make this project possible.

Sample BD-J payloads in this repositories are adaptations of the following work: