PS4_PS5 Jailbreak News_ 12.52 changes, theflows new bug bounty, kstuff, save mounter _ more!

jalal khan

12.52 security updates identified by zecoxao, theflows new bug bounty report, ps5debug & save mounter updates.  -------------------------------------------------------------------------------------------------------- Links:  TheFlow's Report: https://hackerone.com/playstation/hac...  12.52 update notes: https://www.playstation.com/en-gb/sup...  Zecoxao's video:    • diff 1250 1252    PS5Debug: https://github.com/GoldHEN/ps5debug/r...  Save mounter: https://github.com/n0llptr/Playstatio...  OSM PS4 Debugger write up: https://www.hackingadventures.ca/blog... -------------------------------------------------------------------------------------------------------- Timestamps: 0:00 - TheFlow Bug Bounty 1:30 - 12.52 Changes 4:02 - PSFree 9.xx Fixes  5:54 - PS5 Kstuff Progress 6:35 - PS5 Debug for 7.xx 6:58 - Save Mounter Updates 11:11 - OSM Mdbg Investigation  -------------------------------------------------------------------------------------------------------- Music Outro: Paul Flint - Sock It To Them -    • Paul Flint - Sock It To Them [NCS Release]   -------------------------------------------------------------------------------------------------------- Find my content on these other platforms: Odysee: https://odysee.com/@MODDEDWARFARE LBRY: https://lbry.tv/@MODDEDWARFARE BitChute: https://www.bitchute.com/channel/cZkN...

Transcript

00:00Hey how's it going guys, welcome back to another PS4 and PS5 jailbreak news update.

00:04So first of all, a couple of things that have been happening. We did get a new Hacker 1 bug

00:08bounty report showing up on PlayStation's bug bounty program from The Flow and The Flow received

00:15a $5,000 bounty. Now normally for a kernel exploit it would be $10,000 or more, that's typically

00:21the going rate for something as severe as a kernel exploit, so probably something less

00:27significant here, but it's still in the high severity category. So you can see high severity

00:32reports are $1,000 to $10,000 you'll get a bounty for if you submit a valid report there, and The Flow

00:39has got $5,000 for that particular report. So this does coincide quite nicely with the release of

00:4612.52, which wasn't that long ago where we got a message saying that PlayStation have made some

00:52security fixes to the system software in 12.52. So it's likely whatever The Flow reported here

00:58is likely to be what was patched in 12.52, just based on the timing. Typically what happens is

01:05PlayStation will release the new patch that patches whatever vulnerability was reported

01:09in Hacker 1, and then about a week later or so it will get resolved in Hacker 1 and then will appear

01:15here that everybody can see once that has been confirmed that the latest update that they released

01:20has in fact fully patched the vulnerability that was reported so that it can then be resolved here

01:25in Hacker 1. And that's typically what you see and the timing definitely lines up very well for that.

01:30Now we do have some further information that was brought to us by Zeko, so ZekoXEO on Twitter.

01:36He also posted a YouTube video basically comparing the Java security file in the BDJ stack,

01:42which has been changed as of 12.52 compared to 12.50. So you can actually find this file yourself,

01:48you can just head into FTP on your own console and go to the system underscore EX directory and then go

01:55into the app folder and then MPXS20113, which is the Blu-ray player, and then the BDJ stack folder,

02:03the lib folder, security, and then java.security. That is the file that was changed. If we take a look

02:09at the file itself, on line 189 and line 206, those are the two lines that were changed in 12.52.

02:18So this version is from my 12.02 console right now. So this is what it looks like on 12.02.

02:24Most likely pretty much the same on 12.50, I believe. So you can see we've got package.access

02:29equals sun.com.sun.proxy.com. Now apparently what was changed here is that this was basically added

02:38to it. And apparently this was also added to this line here as well. So it would appear they've

02:43essentially expanded the number of packages that are now protected. So some of those packages that

02:49weren't protected in previous firmware versions could have perhaps been used to escalate privileges

02:54in some way, maybe for a user land exploit, but we'll have to wait and see on that. So I guess

02:59we could say that there is a chance, at least a good chance anyway, that there might be some kind

03:04of vulnerability that can be exploited again with the Blu-ray player with BDJ. And the best case

03:09scenario, I guess with that would be the ability to actually use that to then trigger the lapsed kernel

03:14exploit up to 12.02 so that you'd be able to load the jailbreak with the Blu-ray disc instead of

03:19requiring those expensive and hard to find Japanese titles. Of course, we won't know

03:24until either the flows report gets made public once it's disclosed, which could be several months

03:29down the line, of course. So we'll have to wait and see if that happens. But obviously,

03:33there might be a chance that other, you know, exploit developers might be able to figure it out

03:37also and release it earlier, so that we might have access to whatever this turns out to be

03:42sooner than having to wait for the flows report to get disclosed. So anyway, I thought that was

03:46definitely, you know, worth a mention here. Obviously, we don't know entirely if this is going to end

03:51up being some kind of Blu-ray exploit. I just want to be clear, this is mainly speculation at the

03:56moment based on what has been revealed. So, you know, obviously take everything with a grain of

04:00salt until we know for sure. Okay, so moving on to some more things for the PlayStation 4. We did,

04:05in fact, get a fix for the black screen and save data corruption issues on 9.xx firmwares when loading

04:11the lapsed exploit to the new jailbreak using the web browser with PS3. So using the older webkit

04:18exploits to load the newer jailbreak, which allows us, of course, to jailbreak entirely from the web

04:23browser on firmwares like 9.00, 9.03, up to 9.60, which previously had to use older exploits like the

04:30PPPone exploit or the USB exploits, which require additional devices to jailbreak the console. But you

04:36can do it entirely from the web browser. Of course, the general consensus was not to use that exploit

04:41because of the black screen and save data corruption issues that you would get when launching some of your

04:46games. Now, there is a workaround for this. I made a video kind of showcasing it in a tutorial. But the

04:52idea is that there is a old Goldhen plugin, which is the AIO fix plugin for Goldhen. You can just

04:58install that plugin if you're on, you know, any of those 9.xx firmwares loading the lapsed jailbreak

05:03from the web browser. And if you enable that plugin, it should resolve those issues. And I did do a test of

05:09this using one of the GTA Definitive editions. And it was getting a black screen. But as soon as I

05:16enabled the plugin, it would eventually load the game and the save files worked fine. I didn't get

05:20any save data corruption. I was able to create a save file on the game and then, you know, exit the

05:25game, relaunch it again and continue that save file without any problems. So if you are wanting to use

05:30that exploit, if you really just cannot stand using the USB drive on 9.00 or using the PPPone exploit

05:36up to 9.60, then you can use the lapsed exploit now if you enable that plugin to fix those problems.

05:42Now, again, there may still be other issues with the lapsed exploit on the web browser. So

05:46obviously proceed at your own risk. But if those are the main issues that were stopping you from

05:50using it, you can use that plugin to resolve those problems. So moving on to some PS5 news,

05:55we're also seeing some progress getting KStuff ported to higher firmwares above 7.61 to get your

06:01homebrew applications running. And of course, your PS5 game backups and fake packages for PS4 games

06:06on those higher firmwares. So at the moment, 7.61 is the highest firmware. But there was a

06:12video that originally comes from Echo Stretch here showing the PS5 remote Lua loader on 8.00

06:17being used to load KStuff on that firmware. So it looks like Echo Stretch has managed to

06:22successfully get KStuff loaded at least on 8.00 and potentially higher. So there is definitely

06:28some progress being made in that area for everybody who is waiting. You can clearly see Echo Stretch

06:32is working on it and is making some progress there. We do have a new build of PS5 debug released

06:38by CTN. So this one now adds 7.xx support. So all 7.xx firmwares on the PS5 should be able to use PS5

06:46debug, which can be used, of course, for remote debugging of the console. So connecting debugging

06:52tools, mod tools, trainers and various other things that you can do with PS5 debug, including,

06:58of course, the save counter, which has also been updated. So we have a new version of the PS5 save

07:03now this only works right now for PS4 saves on the PS5, not PS5 saves themselves. But you can

07:10essentially mount your encrypted save files and extract the decrypted save data from it and replace

07:16the decrypted save data of your saves. So this particular version of the save counter from Null

07:20Pointer has had a bunch of support for different firmwares added. So the original version only supported

07:26a very small number of firmwares, particularly older ones like 4.03. But this particular version

07:33here supports 7.40, 8.20, 10.01. And then we got support for 4.03 and 6.02. 9.60 was added, 5.02 and 9.40.

07:44And then, of course, we also have 5.50 and 7.20. So to load the save counter, we need to load PS5 debug,

07:51which you can do on 7.xx firmwares now with the new version using the Blu-ray exploit or the Lua

07:56exploit. With the Lua exploits, you can use its PLK's latest autoloader, which loads the Lua menu

08:02with different payloads that you can select. You can go to the manage payloads option in the top

08:06left-hand corner, and it will give you the IP address and port number 8084 that you can enter

08:12in your web browser on another device like your computer that's connected to the same network.

08:16And then from there, you can use the upload option to upload another payload to the console,

08:21and you can select the PS5 debug payload, and then go back onto the console and refresh the page.

08:25And that payload should then show up that you can load. So that's how you get it running using the

08:30Lua exploit. And then for the save counter, you also need to load FTP afterwards as well.

08:35And then also, of course, with the Blu-ray exploit, you can just put the payload on the

08:39root of a USB drive, plug it into the console, load Victorious X's ISO, and then head over to the

08:44disk menu and select option 1 for UMTX1. Once that loads, you can select option 2 for the ELF loader.

08:50Once that loads, you then want to select option 3 for the jailbreak, which allows you to load

08:54payloads from the USB. And once that one's loaded, you'll then be able to go over to the USB menu,

09:00and the payload should show up and you can load the PS5 debug payload. And then of course,

09:04load the FTP payload afterwards as well, if you're wanting to use the save counter.

09:08Now one of the new features in the save counter is that this version does not require you to run

09:12the game, which is important because some games actually mount the save file when the game is first

09:18loaded. And if the game has already mounted a save, the save counter will not allow you to mount

09:22another save file. And that was causing a problem, especially for installing the saves for the Lua

09:27exploit. So just to show that that can now be done with this version, you can see that I have one of

09:31the Japanese games that can be used to load the jailbreak. Currently, it's just running a normal

09:35save file. And then if I go over to the save counter, enter the IP address of the PS5 and connect,

09:41then use the patch option to apply the patches. And then we can grab the account name of the account

09:46we're signed into, and then the game, get the titles and select the title ID of the game that

09:51we're trying to replace the save for. We can then grab the save files and select one of the save

09:56files that shows up. So we can see we have save data here, and then I can select the option to

10:01mount that save. So now the decrypted save data is mounted in the MNT PFS directory. We can just go

10:07to that directory in FTP, MNT PFS, and then the save data folder, which now contains our decrypted save

10:13files for that save. And I can just swap those out with another save file, another decrypted save.

10:18In this case, I will use the itsplk autoloader save file to get the Lua exploit on there. And when it

10:25asks me to overwrite the save files, I'll just confirm it, and that will get all of those save

10:29files copied over. And once that's done, we can then unmount the save inside the save counter.

10:33So now when I go to load the save file, it runs the autoloader, the Lua exploit, instead of the

10:38original save file, and we've easily swapped that save file out. So that's just a quick example of how

10:43you can use the save counter, especially now on games that previously were awkward to try and replace

10:48the save files for, because they perhaps loaded the save file as soon as the game was loaded,

10:52preventing the save counter from then being able to mount a save. That's not really an issue with

10:56this version, because you can mount save files when you're not running the game now. So that is

11:00definitely a welcome change. Now, if you want a more detailed guide on how to use the save counter,

11:05I have made a video before on the older version, which I will leave linked down in the video description,

11:10which goes into more detail. And finally, we also got a write-up from OSM,

11:14old school mods, about PS4 retail kits, basically debugging investigation in PS4 retails,

11:20uncovering a bunch of dormant debugging features from development and test kit consoles that still

11:26basically exist in the retail units. And that can potentially be brought back to life to be able to

11:32access a lot of these debugging features on retail consoles. So he has done a pretty in-depth

11:37write-up on this. This is the first part of the write-up that has been released. So if you're

11:41interested in looking into that, you can see here the conclusion. The findings confirm that Sony's

11:46retail kernel retains nearly the full debug backend with mdebug, basic, fuse, and associated

11:53syscalls, all still present and functional, just hidden behind environment checks. By mimicking the

11:58correct environment and patching a few guardrails, we can unlock a surprising amount of devkit-like

12:03functionality on retail hardware. In part 3, we'll take this a step further by exploring the DCI

12:09daemon and what it would take to bring Sony's official debugger back to life. So trying to get

12:14Sony's original debugger actually working at least partially on retail units, which would be pretty

12:19interesting. So I'll go ahead and leave this down in the video description also if you want to read

12:23more into it. But anyway, that's going to do it for this one. So hope you guys enjoyed this video or

12:27found the information useful. If you did, please leave a like and subscribe. And once again,

12:30I'll hopefully see you guys in the next one.

Category

Transcript

Be the first to comment

Recommended