Thanks to the porting script by Sleirsgoevy for his “kstuff” tools on the PS5, pretty much all hackable PS5 firmwares can now run his Propser0gdb stack, which in return has led to port of etaHEN to those firmwares. Which, of course, means PS5 Backups are now supported on all these hackable firmwares (3.00 to 4.51 included). 4.02 seems to potentially be the black sheep here, and at this point I’d day if you have issues on 4.02, it is probably a good idea to update to 4.03. Update: 4.02 support now added!
The PS5 scene has made a huge leap over the end of year holidays, giving access to PS5 Backups to most hacked consoles. Of course, what looks like a “quick” leap on the surface is actually the result of many months of work under the hood by folks such as Sleirsgoevy and LightningMods.
What are Prosper0GDB, kstuff, etaHEN, and Itemzflow for the PS5?
Note: if you don’t care how your food is cooked, just jump down straight to the “Download and use” section below for links and tutorials.
Things have become a bit hairy and complex with the multiplicity of tools on the PS5 scene, so I feel we’re overdue for a recap:
PS5 Security in short
As you might know/remember, the PS5 has fairly advanced security mechanisms in place. In particular, the OS runs within an Hypervisor, a mechanism similar to a Virtual Machine, which ensures that even privilege escalation to root (aka a kernel exploit) doesn’t fully compromise the device.
Additionally, the PS5 kernel runs in an “eXecute Only” memory space (XOM), meaning it can run, but not be read (even with root privileges).
Typically once the PS4/PS5 scene has a kernel exploit, one of the first things we attempt to do is reverse engineer parts of the Kernel. The goal is to patch parts of the kernel in RAM, at runtime, to deactivate some protections (DRM checks and the like) as well as modify other elements of the system (for example to add functionality, in other words create a Custom Firmware, such as GoldHEN).
With an “eXecute Only” kernel, not only is it impossible to modify the kernel in RAM (XOM means no writing allowed), it’s not even possible to read it! This means no dump is possible, and consequently, reverse engineering of the kernel has been a tough nut to crack (solutions exist and some people have access to at least older versions of the kernel though).
This is where Prosper0GDB and “kstuff” come to the rescue.
Prosper0GDB and kstuff to the rescue
Although modifying/reading the kernel isn’t possible on the PS5 for now, hacker Sleirsgoevy has created a runtime debugger (Prosper0GDB) which is able to modify registers and the stack at runtime. In other words, although we are not able to patch the kernel in RAM, his debugger allows us to patch every instruction at the last minute, just before it gets executed.
The set of functions that Sleirsgoevy has created to patch “interesting” execution paths on the console is what we commonly call “kstuff”. Maybe not technically a “HEN” or Custom Firmware, but those are what I would personally consider to be the “building bricks” for a HEN.
Propser0GDB and kstuff is of course a very powerful toolkit, but without knowing which instructions are what, it was still extremely time consuming for Sleirsgoevy to reverse a specific kernel (4.03 at the time) and the instructions that mattered. And because most functions are located at different places depending on the version of the firmware, the location of interesting instructions to patch (or the “signature” to detect them when they’re about to be executed) changes with every firmware. Hence the need to port this to every single firmware that can be hacked.
Sleirsgoevy has developed a semi-automated tool to do this, which has ultimately led to a port of Prosper0Gdb and kstuff to all exploitable firmwares on the PS5 (Sleirsgoevy credits EchoStretch, zecoxao, embee, Sylntnyt, Dusk2D4wn, cheburek3000, and MKBUHD for help with these ports).
etaHEN and ItemzFlow to run PS5 Apps and Backups
With the building bricks in place to create a “Custom Firmware”, or rather a HEN (Homebrew enabler) for the PS5, folks such as LightningMods got to work. This is how etaHEN saw the light of day. EtaHEN is a payload that runs after the Jailbreak and basically acts as a Custom Firmware for the PS5. EtaHEN includes/leverages features from kstuff, in order, among other things, to run PS5 Apps. This includes Homebrew, but also PS5 “backups”, aka decrypted PS5 games. EtaHEN also has support for runtime patches and mods (such as 60 FPS Mods by Illusion), and other QoL improvements such as Debug Settings menu and the like. (It is somewhat comparable to GoldHEN on the PS4, although with less features for now).
LIghtningMods’ PS5 GUI Itemzflow wraps this all nicely with a bow, offering an interface to display and run PS5 Homebrew and backups, as well as PS4 games.
In parallel to all of this, tutorials have been popping up like mushrooms on the web on how to dump your own PS5 games, and how to install and run them via ItemzFlow on your hacked PS5.
Which takes us to where we are right now: although not all PS5 games are supported, it is now possible to dump PS5 games, and run decrypted versions of them on pretty much all hackable PS5 models. There are yet to be compelling PS5 Homebrews though, but hopefully this will come in time.
etaHEN 1.3, ItemzFlow 1.04: Download and run
If you just want to run your hack without much fuss, just read the next section (“How to dump PS5 Games, install and run them on a Hacked PS5“). If you’re interested in downloading and running the exploits yourself, go to the “Download” section below
PS5 – How to dump PS5 Games, install and run them on a Hacked PS5
Note: If you’re looking to buy a hackable PS5, here’s a quick reminder:
You’re looking for a PS5 with Firmware 4.51 or lower, ideally 2.xx if possible. Major retailers don’t sell those anymore, so you want to buy second-hand (eBay or equivalent).
- Hunt for either a “new in box” Launch Edition PS5 or “new in box” CFI-10xx (CFI-10xx are what you’re looking for, CFI-11xx are risky, CFI-12xx are no go),
or- Look for a used PS5 console where the seller can explicitly confirm the firmware. Sometimes searching for the exact firmware, e.g. PS5 4.03 can yield results. Always double check!!!
Although I will not dive into the details myself at the moment, multiple tutorials exist on how to dump your games, and how to run them with ItemzFlow. Modded Warfare has a guide on how to dump your games:
Note: At this point I am not entirely sure if Sleir’s SELF Dumper works on all firmwares (it might). If you’re running into issues, you might have better luck with SpecterDev’s SELF Dumper. Echo Stretch also has an updated version here which is supposed to support all firmwares.
To run the exploit, ItemzFlow, and PS5 backups, Echo Stretch has a straightforward tutorial here to get you going from scratch:
Download
The videos above should get you covered. Download links below are for your convenience, or if you want to host the exploit locally:
Public hosts that run the exploit (if you don’t want to self host): https://ps5jb.pages.dev/ , https://zecoxao.github.io/ps5/ .
Or, you can self host the exploit (or alternative with an ESP8266, which is what I personally do)
Note: As always, I’ve tried to be accurate in my descriptions of the hacks, tools, what they do and how they work. If I misinterpreted something, this is not out of malice but simply a human error. Feel free to let me know in the comments about anything incorrect!
Source link
credite