A complete Java port of the poops_ps5.lua IPv6 UAF kernel exploit originally developed by Gezine and egycnq, based on the ExploitNetControlImpl vulnerability discovered by TheFlow. This project is designed to run natively within the PlayStation 5 BD-J (Blu-ray Java) environment.

This payload chains a Netgraph/sys_netcontrol Use-After-Free (UAF) vulnerability, leveraging IPv6 routing headers for heap spraying, to achieve arbitrary kernel read/write, patches system credentials for root privileges, enables Debug Settings via a GPU DMA memory patch, and deploys an ELF loader.

• Full Kernel R/W: Stable UAF execution with dynamic triplet repair and Kqueue reclamation to prevent kernel panics.
• Privilege Escalation: Patches process credentials (ucred) to achieve root access.
• Debug Settings: Uses GPU DMA to patch QA flags, target ID, and UTOKEN in protected kernel memory.
• ELF Loader: Safely allocates and maps executable memory using shared memory aliasing (respecting FreeBSD W^X protections) and spawns a system thread listening on port 9021 for payload execution.

This project began as a technical challenge. Due to a lack of initial in-depth knowledge regarding FreeBSD internals and the PS5 kernel, the initial port of poops_ps5.lua to Java was generated using Large Language Models (LLMs).

Starting from that AI-generated foundation, extensive reverse engineering, iterative hardware testing, and debugging were performed to stabilize the exploit chain.

This project relies heavily on the research and open-source contributions of the PlayStation security community:

• Gezine & egycnq: For the original poops_ps5.lua script and the core implementation of the exploitation chain.
• TheFlow (Andy Nguyen): For the discovery of the ExploitNetControlImpl vulnerability and the original BD-J sandbox escape research.
• SpecterDev (Cryptogenic), ChendoChap, John Törnblom, and the ps5-payload-dev contributors: For their foundational work on PS5 ELF loading, memory mapping, and the overall payload ecosystem.
• Testers: A massive thank you to DrYenyen, EchoStretch, and Viktorious-x, who generously volunteered their time and consoles to test and debug this payload despite not knowing me beforehand.

• A PS5 on firmware 12.00 or below with an unpatched BD-J environment.
• A functional BD-J Loader environment running on the console.
  • Note: For our testing and development, we successfully used the BD-UN-JB 1.0 ISO, which includes the Jar Loader utilizing TheFlow's API.

1. Send the compiled .jar file to the listening BD-J loader on your console (typically via port 9025).
2. Wait for the process to complete all 7 stages. Once finished, the Debug Settings will become visible, and the ELF loader will be active.
3. Close the Blu-ray application.
4. Send your final payload (e.g., an .elf file) to port 9021.

If you found this project helpful and want to support my work, consider buying me a coffee!

Ko-fi