The developer ChendoChap update the exploit pOOBs4, even if not fully tested yet, the jailbreak could go into panic (this means that the exploit could fail, but no damage will be done to the console).

The update totally disables the sysVeri patch, previously used to delay and disable kernel panic (the fatal error), also made the file even smaller exfathax.img .

Update: https://t.co/o4ItUx3Ha6 – Al Azif (@_AlAzif) January 17, 2022

The developer does not have their own Twitter account, so updates are sporadically reported by Al Azif, you can still follow any updates on the SCE PARTY Discord channel.

This is to be intended as a beta version, therefore two IMG files are provided, the old version exfathax.img and the new one exfathax_pico.img much smaller.

In this project it is possible to find a new implementation that tries to exploit a filesystem bug present on the 9.00 firmware of the PlayStation 4 console found during the diffing of the 9.00 and 9.03 kernels.

Note: The bug is prior to firmware 1.00, this means that all firmware between version 1.00 and 9.00 should be exploitable using the same strategy (you will still need a different user area exploit and gadget).

To jailbreak, all we have to do is visit the web page biteyourconsole.net/pOOBs4/ from the web browser of the PlayStation 4 console and connect the USB device formatted in exFAT containing the image exfathax.img .

After its activation, the exploit will allow us to execute arbitrary code as a kernel, to allow for jailbreaking and kernel-level modifications to the system.

The payload launcher runs as usual on port 9020. Side note, exploit does not work on the latest 9.03 firmware.

The following patches are applied to the kernel:

Allows RWX (read-write-execute) memory mapping (mmap / mprotect).

Syscall instructions allowed everywhere.

Dynamic resolution ( sys_dynlib_dlsym ) allowed by any process.

) allowed by any process. Custom System Call # 11 ( kexec() ) to execute arbitrary code in kernel mode.

) to execute arbitrary code in kernel mode. Allow unprivileged users to call setuid(0) correctly. It works as a health check, doubles as a privilege escalation.

correctly. It works as a health check, doubles as a privilege escalation. ( sys_dynlib_load_prx ) patch.

) patch. Disabled sysVeri.

This exploit differs from previous exploits where they were based solely on software. Activating the vulnerability requires plugging in a specially formatted USB device at the right time.

Inside the repository you can find a file .img . The image can be written to a USB device using one of the many programs available, such as Win32DiskImager.

Note: This will erase the USB drive, make sure you select the correct drive and agree before doing this.

When the exploit is executed on the console, wait until a warning appears with “Insert USB now. do not close the dialog until notification pops, remove usb after closing it. “.

As indicated in the dialog box, insert the USB drive and wait until the “disk format not supported” notification appears, then close the warning with “OK”.

The exploit may take a minute to run and the spinning animation on the page may freeze – okay so let it continue until an error is displayed or it succeeds and the message “Awaiting payload” is displayed.

Unplugging the USB drive before a (re) boot cycle risks damaging the kernel heap on boot.

The browser may trick you into closing the page prematurely, don’t.

The loading circle may freeze while activating the webkit exploit, this does not yet mean that the exploit has failed.

You can replace the loader with a specific payload to load things directly instead of doing it via sockets.

This bug works on some PS5 firmware, however there is currently no known strategy to exploit it. Using this bug against the visually impaired on PS5 would not be recommended.

Please, don’t open questions to tell me there aren’t any … or try to get me to do your homework for you.

This repository does not provide anything other than the initial kernel patches that allow you to run payloads. If you are experiencing issues with certain payloads, you should report your issues to the developers of those payloads through whatever means they make available to you.

The name of the repository is a fusion of the words “ps4” and “OOB”, the latter being the type of vulnerability that this implementation tries to exploit, any other interpretation is purely coincidental and unintentional.

As stated earlier, this bug was found by differentiating the 9.00 and 9.03 kernels, this implies that the bug has been fixed on 9.03 firmware.

After activating the exploit we are going to correctly inject the desired payloads, to do so all you have to do is download the application Netcat GUI and send the first Mira charger at door 9020, then the desired payload at door 9021.

Dump a game from Blu-ray / PSN disc

Download and extract the archive payloads (3.50.9.00).zip .

. Create a text file and rename it to dumper.cfg (possibly you can download it from here), upload the file to a USB device with exFAT file system, used to dump games. To type split = 0 to dump to the folder CUSAxxxxx without splitting app and patch files. To type split = 1 to dump the app only into the folder CUSAxxxxx-app . To type split = 2 to dump only the patch into the folder CUSAxxxxx-patch . To type split = 3 to dump and split both apps and patches into different folders. You can also choose to set a different time interval before viewing notifications (by default 60 , to type 0 to disable notifications). To type shutdown = 0 to turn off the console after finishing the game dump, shutdown = 1 instead to continue the session even after performing the dump.

(possibly you can download it from here), upload the file to a USB device with exFAT file system, used to dump games. Execute the exploit and inject the payload app-dumper.bin .

. Insert the Blu-ray disc you intend to dump into the player (alternatively run the PSN title if in digital format), you can also install the game updates, they will be dumped together with the game.

Minimize the web browser (PS button), but do not close it.

Run the game you want to dump and get at least to the game menu, then minimize it (PS button).

Wait until completion. When the dump process is finished, the lights will stop flashing and the console will automatically turn off (if set in the file dumper.cfg ).

). Now turn the console back on, remove the disc and try uninstalling the game (for further testing).

Disconnect the USB device from the console and connect it to the PC, then run the tool gengp4.exe (this app you will have to get it yourself we cannot connect it here), click on File> Open , and select the directory CUSAxxxxx-APP , click on Generate .GP4 , you should get ‘Done’, then click Save .GP4 .

(this app you will have to get it yourself we cannot connect it here), click on , and select the directory , click on , you should get ‘Done’, then click . Always from gengp4.exe select directory CUSAxxxxx-PATCH , click on Generate .GP4 , you should get ‘Done’, then click Save .GP4 .

select directory , click on , you should get ‘Done’, then click . Run the program orbis-pub-gen.exe (this app you will have to get it yourself we cannot connect it here), select the folder CUSAXXXXX-APP.GP4 and click the Build button with the red arrow upside down. Once the procedure is finished, close the program.

(this app you will have to get it yourself we cannot connect it here), select the folder and click the Build button with the red arrow upside down. Once the procedure is finished, close the program. Still from the orbis-pub-gen.exe program, select the folder CUSAXXXXX-PATCH.GP4 and click the Build button with the red arrow upside down. Once the procedure is finished, close the program.

and click the Build button with the red arrow upside down. Once the procedure is finished, close the program. Now you can delete the folders CUSAXXXXX-APP And CUSAXXXXX-PATCH .

And . Open the file .gp4 In the file orbis-pub-gen.exe and create the file .pkg .

Kill sysVeri even more and leave no witnesses.

Fixed a bug that somehow wasn’t breaking anything?

Fixed a rop bug related to stack alignment sys-v.

Provide more krop support functions.

Provided a smaller img (0x1800 bytes, also very compressible). you see [#29] [#31]

Added wk expl integrity check.

It ensures that the pages accessed by the kernel are locked.

Try to reduce the time spent with interrupts disabled.

Note: Extensive tests have not yet been performed. could be worse, so panic at your own risk!

Host exploit 9.00: biteyourconsole.net/pOOBs4/

Download: Payload GoldHEN (firmware 9.00)

Download: pOOBs4 (exfathax_pico.img) [aggiornato]

Download: pOOBs4 (exfathax.img)

Download: Source code pOOBs4

