PS5: kstuff and etaHEN ported to all hackable PS5 firmware (PS5 backup support)

PS5: kstuff and etaHEN ported to all hackable PS5 firmware (PS5 backup support)

Thanks to a port script that Sleirsgoevy put together for his “kstuff” tools on the PS5, all hackable PS5 firmware can now run his Propser0gdb stack, which in turn led to an etaHEN port to that firmware. This of course means that PS5 backups are now supported on all of these hackable firmwares (including versions 3.00 to 4.51). 4.02 seems to be the black sheep here, and at this point, if you’re having issues with 4.02, updating to 4.03 is probably a good idea. Update: 4.02 support added now!

The PS5 scene took a huge jump over the year-end holidays, making PS5 backups accessible for most hacked consoles. Of course, what looks like a “quick” jump on the surface is actually the result of several months of work under the hood by people like Sleirsgoevy and LightningMods.

What are Prosper0GDB, kstuff, etaHEN and Itemzflow for PS5?

Note: If you don’t care about the way your food is cooked, just go directly to the “Download and Use” section below for links and tutorials.

Things have gotten a little complicated with the multi-instrumentalization of the PS5 scene, so I feel like we’re late in summing up:

PS5 security in a nutshell

As you may know/remember, the PS5 has fairly advanced security mechanisms. In particular, the operating system runs within a hypervisor, a mechanism similar to a virtual machine, which ensures that even escalation of privileges to root (also known as a kernel exploit) does not completely compromise the device.

Additionally, the PS5 kernel runs in an “eXecute Only” (XOM) memory space, meaning it can run, but cannot be read (even with root privileges).

Typically, once the PS4/PS5 scene is exposed to a kernel exploit, the first thing we try to do is reverse engineer parts of the kernel. The goal is to debug parts of the kernel in RAM, at runtime, to deactivate certain protections (DRM checks and the like) as well as to modify other elements of the system (e.g. to add functionality, in other words to create a program Custom constant, such as GoldHEN).

With an “execute-only” kernel, not only is it impossible to modify the kernel in RAM (XOM stands for write-free), it’s not even possible to read it! This meant that no offloading was possible, and thus, reverse engineering the kernel was difficult to crack (workarounds exist and some people have access to at least older versions of the kernel).

This is where Prosper0GDB and “kstuff” come to the rescue.

Prosper0GDB and kstuff to the rescue

Although modifying/reading the kernel is not possible on PS5 at the moment, hacker Sleirsgoevy has created a runtime debugger (Prosper0GDB) capable of modifying registers and stack at runtime. In other words, although we are unable to debug the kernel in RAM, its debugger allows us to debug every instruction at the last moment, just before it is executed.

The set of functions created by Sleirsgoevy to debug “interesting” execution paths on the console is what we usually call “kstuff”. It may not technically be “HEN” or custom firmware, but these are what I personally consider to be the “building blocks” of HEN.

Propser0GDB and kstuff are of course a very powerful toolkit, but without knowing what the instructions were, Sleirsgoevy was taking a very long time to mirror a given kernel (4.03 at the time) and the important instructions. Since most functions are located in different places depending on the firmware version, the location of the instructions that are interesting to debug (or the “signature” to detect when they are about to be executed) changes with each firmware. Hence the need to port this to every firmware that can be hacked.

Sleirsgoevy developed a semi-automated tool to do this, eventually creating a Prosper0Gdb and kstuff port for all exploitable firmware on the PS5 (Sleirsgoevy credits EchoStretch, zecoxao, embee, Sylntnyt, Dusk2D4wn, cheburek3000, and MKBUHD for helping with these ports).

etaHEN and ItemzFlow to run PS5 apps and backups

With the building block in place for creating a “custom firmware,” or rather HEN (Homebrew Enabled) for the PS5, people like LightningMods got to work. This is how Itahin saw the light. EtaHEN is a payload that runs after jailbreak and essentially acts as custom firmware for the PS5. EtaHEN includes/leverages kstuff features, in order to run PS5 apps, among other things. This includes Homebrew, but also PS5 “backups,” also known as decrypted PS5 games. EtaHEN also has support for runtime patches and tweaks (such as 60 FPS Mods by Illusion), and other quality of life improvements such as the patch settings menu and the like. (It’s somewhat comparable to GoldHEN on PS4, although it has fewer features at the moment.)

LIightningMods’ PS5 GUI, Itemzflow, nicely wraps all this up in a bow, providing an interface for viewing and playing PS5 Homebrew and backups, as well as PS4 games.

In parallel with all this, tutorials have been popping up like mushrooms on the web on how to get rid of your PS5 games, and how to install and play them via ItemzFlow on a hacked PS5.

Which brings us to where we are now: Although not all PS5 games are supported, it is now possible to jailbreak PS5 games and run unencrypted versions of them on almost all hackable PS5 models. There are still no convincing PS5 Homebrews, but hopefully they will come in time.

etaHEN 1.3, ItemzFlow 1.04: Download and run

If you just want to get your hack running without too much fuss, just read the next section (“How to unpack, install and play PS5 games on a hacked PS5“).If you are interested in downloading and running the exploit yourself, go to the “Download” section below

PS5 – How to unpack, install and play PS5 games on a hacked PS5

NB: If you’re looking to buy a hackable PS5, here’s a quick reminder:

You’re looking for a PS5 with firmware 4.51 or lower, preferably 2.xx if possible. Major retailers don’t sell these products anymore, so you’ll want to buy used (on eBay or equivalent).

  • Look for the PS5 launch version “new in box” or CFI-10xx “new in box” (CFI-10xx is what you are looking for, CFI-11xx is risky, CFI-12xx is not suitable),
    or
  • Look for a used PS5 console where the seller can explicitly confirm the firmware. Sometimes, searching for the exact firmware, for example PS5 4.03, may return results. Always double check!!!

While I won’t delve into the details myself at the moment, there are many tutorials on how to dump your games and how to run them with ItemzFlow. Modded Warfare has a guide on how to get rid of your games:

Note: At this point I’m not entirely sure if Sleir’s SELF Dumper works on all firmwares (it may be). If you’re having issues, you may have better luck with SpecterDev’s SELF Dumper. The Echo Stretch also has an updated version here which should support all firmwares.

To get the exploit working, and for ItemzFlow and PS5 backups, Echo Stretch has a live tutorial here to help you get started from scratch:

download

The videos above should have you covered. The download links below are for your convenience, or if you want to host the exploit locally:

Public hosts that trigger the vulnerability (if you don’t want to self-host): https://ps5jb.pages.dev/, https://zecoxao.github.io/ps5/.

Or you can host the exploit yourself (or alternatively using ESP8266, which is what I personally do)

NB: As always, I tried to be accurate in my descriptions of the hacks and tools, what they do, and how they work. If you misinterpret something, it is not out of malice but just human error. Feel free to let me know in the comments about anything that’s incorrect!

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *