Thanks to visit codestin.com
Credit goes to github.com

Skip to content

EXHades/ps4jb

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

119 Commits
common
common
 
 
jb
jb
 
 
jb702
jb702
 
 
mira
mira
 
 
mira702
mira702
 
 
oldjb
oldjb
 
 
src
src
 
 
webkit-7.02 @ 9942d0e
webkit-7.02 @ 9942d0e
 
 
.gitmodules
.gitmodules
 
 
702.js
702.js
 
 
Cache.manifest
Cache.manifest
 
 
README.md
README.md
 
 
fakeusb.html
fakeusb.html
 
 
fakeusb.js
fakeusb.js
 
 
favicon.ico
favicon.ico
 
 
ftp.html
ftp.html
 
 
ftp.js
ftp.js
 
 
index.html
index.html
 
 
index702.html
index702.html
 
 
jb.html
jb.html
 
 
linux-3gb.html
linux-3gb.html
 
 
linux-3gb.js
linux-3gb.js
 
 
linux.html
linux.html
 
 
linux.js
linux.js
 
 
linux702-3gb.js
linux702-3gb.js
 
 
linux702.js
linux702.js
 
 
mira.html
mira.html
 
 
netcat.html
netcat.html
 
 
netcat702-mira.html
netcat702-mira.html
 
 
netcat702.html
netcat702.html
 
 
payload702.html
payload702.html
 
 
ps4-hen-vtx-702.js
ps4-hen-vtx-702.js
 
 
ps4-hen-vtx.html
ps4-hen-vtx.html
 
 
ps4-hen-vtx.js
ps4-hen-vtx.js
 
 
spoofer.html
spoofer.html
 
 
spoofer.js
spoofer.js
 
 
todex.bin
todex.bin
 
 
todex.html
todex.html
 
 
todex.js
todex.js
 
 

Repository files navigation

ps4jb

This is a full chain exploit for PS4 firmware 6.72. Basically this is TheFlow's POC together with PS4-specific kROP & kernel patches. Mira is used as a HEN payload.

Building from source

To build from source, clone this repository recursively, and run these commands:

cd src
make

You will get a fresh copy of the binary build in src/build/.

Dependencies: python3, gcc, ROPgadget. Note: Mira is not being built from source

Adding your own payloads

miraldr.c loads 65536 bytes at address stored in JS variable mira_blob into RWX memory and jumps to it. At this point only the minimal patches (amd64_syscall, mmap, mprotect, kexec) are applied (i.e. the process is still "sandboxed"). Normally mira_blob contains MiraLoader.

mira_blob_2_len bytes at mira_blob_2 are sent to 127.0.0.1:9021 in a background thread. If mira_blob contains MiraLoader this will be run in the same way but with the full patchset applied & already jailbroken.

Credits

About

PS4 6.72 jailbreak

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 99.7%
  • Other 0.3%