\-- 05/18/2026 --

Updated poopsploit to 1.5

Now poopsploit supports 4.03 6.02 to 12.00 FW (There are problem at 4.xx and 5.xx)

Improved stability

Merged ufm42's kexp PS5 post JB all in one shellcode

Deprecated PS5 firmware specific kernel offsets

Deprecated GPU RW

\-- 05/16/2026 --

Updated bdj\_unpatch\_1320\_v2.elf

Made unpatch process more safe

download 1.05 again, now the alphabetical order is fixed and a minor bug in the autoloader editor too...

WIP from SiSTR0.. #GoldHen4Eva

goldhen coming In PS5 FROM Sistro

Created by Yharnam

PPSA30803_01.200.000

PPSA31246 01.200.000

Untouchable

Infi Health

1 Hit Kill

Infi Ammo

Infi Items

Max CP (Buy)

Save count always 1

Development and testing environment

FW 4.50 / 7.61/ 9.20

etaHen 2.5B / etaHen 2.6B

Kstuff 1.6.7/ Kstuff Lite

Itemzflow (Shadowmount not verified.)

External M2 SSD folder style (exFAT and FFPKG not verified.)

Using Backpork for 4.xx

► To FW 10.xx users.

If it freezes or doesn't work on FW 10.xx, use BackPort for 4.xx.

# ps5debug-NG

A debugger payload for jailbroken PlayStation 5 consoles. Ships a userland

command server that runs inside SceShellCore, letting remote clients inspect

and manipulate running processes, the kernel itself, and the system UI over a

simple TCP protocol.

ps5debug-NG is inspired by Ctn's `ps5debug 1.0b5` and is wire-compatible with

it - existing clients should work without modification. It is licensed under

GPL-3.

---

## Supported firmwares

The kernel kpatch routine in [installer/source/main.c](installer/source/main.c)

recognises the following firmware families. Booting on an unsupported FW prints

`port_outer: kpatch SKIP - unsupported FW magic 0x...` to the kernel log and

aborts cleanly.

| Family | Label in code |

|--------------------|----------------------------|

| 3.xx | `FW 3.x` |

| 4.xx | `FW 4.x` |

| 5.xx | `FW 5.x` |

| 6.xx | `FW 6.x` |

| 7.xx | `FW 7.x` |

| 7.5x | `FW 7.5x` |

| 8.xx | `FW 8.x` |

Each family covers several point releases - see the switch in

[installer/source/main.c](installer/source/main.c) for the exact set of FW

magic values recognised per family. Clients can read the running FW with

`CMD_FW_VERSION` (returns the kernel's raw FW magic word).

---

## Primary Features

### Process inspection and manipulation

- **Enumerate processes** (`p_comm` + pid list).

- **Read and write target memory** in streamed chunks.

- **List virtual memory maps** - ranges, protections, backing names.

- **Query process metadata** - name, path, titleId, contentId.

- **Identify the foreground app** (`0xBDDD0006`) - returns pid + titleid +

contentid + process name + the game's version, parsed server-side from the

title's `param.sfo`. Useful for clients that need to know what's currently

running without listing every process.

- **Server-side stack walk** (`CMD_PROC_READ_STACK`) - the server walks the

RBP chain itself (up to 64 frames) and bundles each frame's saved-RBP,

return address, frame-local bytes, and a 200-byte code window around the

return address into one response. Clients avoid paying many TCP round-trips

per stack frame.

- **Change memory protection** on arbitrary target regions.

- **Allocate / free / hint-allocate** memory inside any target process.

### In-target code execution

- **Install an RPC stub** (`CMD_PROC_INSTALL`) - injects a reusable trampoline

with its own thread into the target.

- **Call arbitrary functions** with up to six SysV ABI register arguments and

read back `rax` (`CMD_PROC_CALL`).

- **Load ELFs** into a target process - either jump to the entry point

immediately (`CMD_PROC_ELF`) or return the entry for later invocation

(`CMD_PROC_ELF_RPC`).

### Full userland debugger

- **Attach** to a single target with `CMD_DEBUG_ATTACH` (sets up an async

interrupt channel back to the client).

- **Software breakpoints** - up to **30** slots, transparent `0xCC` injection.

- **Hardware watchpoints** - up to **4** DR0-DR3 slots with read / write /

read-write and 1/2/4/8-byte granularity.

- **Thread control** - list, suspend, resume, single-step, per-thread step.

- **Full register access** - general-purpose, FPU + YMM, and debug registers.

- **Continue / stop / halt** the whole process from one command.

- **Asynchronous interrupt packets** delivered on a separate TCP connection so

the client never polls.

### Kernel access

- Get the **kernel base address**.

- **Read** arbitrary kernel memory.

- **Write** arbitrary kernel memory.

### Built-in Zydis disassembler

Large memory regions never leave the PS5. Three server-side decoder commands

keep bandwidth low:

- `CMD_PROC_DISASM_REGION` - packed 32-byte-per-instruction stream with

control-flow, memory-operand, and RIP-relative metadata.

- `CMD_PROC_EXTRACT_CODE_XREFS` - all resolved RIP-relative branch/call

targets in a region, deduplicated.

- `CMD_PROC_FIND_XREFS_TO` - only instructions that reference a specific

target address.

### Built-in Keystone assembler (x86-64)

A cross-compiled LLVM-MC Keystone (x86-only, no exceptions / no RTTI, static

~4 MB) is embedded in the payload, exposed via the raw-literal opcode

`0xBDAA0024`. Lets clients assemble asm text into machine code on the console

itself.

- Pure userspace - needs no attached process and no `CMD_PROC_AUTH` handshake.

- Request: `u64 base_addr; u32 ks_opt_syntax;` + asm text (NUL not required).

`ks_opt_syntax` defaults to Intel; pass 1/2/4/8/0x10 for Intel/ATT/NASM/MASM/GAS.

- Response: `CMD_SUCCESS` + `u32 byte_len; u32 insn_count;` + machine bytes,

or `CMD_ERROR` + `u32 ks_errno; u32 msg_len;` + Keystone's human-readable error.

- The opcode is deliberately a raw literal (no `CMD_*` macro) so the published

`CMD_*` set that some clients enumerate stays unchanged.

### Memory scanning

- **Value scan** (`CMD_PROC_SCAN`) - single-pass, 12 value types × 13 compare

modes (exact, fuzzy, bigger/smaller, between, increased, decreased, changed,

etc.).

- **Iterative scan session** (`SCAN_START` → `SCAN_COUNT` → `SCAN_GET`) - lets

clients narrow a result set server-side over many passes.

- **AOB scan** (`CMD_PROC_SCAN_AOB`) - byte patterns with `??` wildcards.

- **Multi-pattern AOB scan** (`CMD_PROC_SCAN_AOB_MULTI`) - many patterns in

one pass.

- **Auth-gated** - scan commands require a prior `CMD_PROC_AUTH` handshake.

### System UI integration

- **Push notifications** to the user's screen with arbitrary UTF-8 text.

- **Print** to the kernel console.

- **Reboot** the console.

### Klog forwarder

- TCP **3232** streams the kernel log to a connected client (host-side

`klog reader` style). Survives suspend/resume the same as the main server.

### Discovery

- A UDP broadcast responder on port `1010` echoes a handshake magic

(`0xFFFFAAAA`) so clients can find the PS5 on the LAN without hard-coding

an IP.

### Rest-mode support

- The payload **survives suspend / resume** without needing to be reloaded.

A supervisory loop polls the network periodically: when the console drops

into rest mode the server exits cleanly, and as soon as the network comes

back the server restarts and a fresh "online" notification fires.

- Clients see a clean disconnect on port 744 when rest mode begins and can

simply reconnect after wake.

### Performance-oriented design

- Non-blocking sockets with `TCP_NODELAY`, `SO_KEEPALIVE`, large transfer

chunks.

- Zydis amalgamation compiled at `-O3 -DNDEBUG` for maximum decode throughput.

- Link-time dead stripping (`-ffunction-sections -fdata-sections

-Wl,--gc-sections`).

- Interrupt packets streamed over a dedicated side channel to avoid blocking

the command loop.

---

## Architecture

The deployable artifact `ps5debug-NG.elf` is a two-component build:

```

┌──────────────────────────────────────────────────────────────┐

│ ps5debug-NG.elf │

│ │

│ ┌───────────────────┐ injects ┌───────────────────┐ │

│ │ installer ELF │─────────────▶│ debugger ELF │ │

│ │ (umtx-loaded PIE) │ │ (in SceShellCore) │ │

│ └───────────────────┘ └────────┬──────────┘ │

│ │ │

│ ┌────────────────▼─────────┐ │

│ │ - TCP server :744 │ │

│ │ - debug async :755 │ │

│ │ - klog forward :3232 │ │

│ │ - UDP bcast :1010 │ │

│ └──────────────────────────┘ │

└──────────────────────────────────────────────────────────────┘

```

- **installer** - umtx-loaded SDK PIE. Finds SceShellCore, sets up the

target's KEX state and syscall-origin filter, then calls the SCE-side

`inject_remote_thread_create` primitive to run the embedded debugger as

a SceShellCore-internal thread.

- **debugger** - runs inside SceShellCore once injected. Implements the

wire protocol, breakpoints / watchpoints / single-step, memory scan, RPC,

and ELF inject. Built into `debugger/build/debugger.elf`, then embedded as

a `.rodata` blob into the installer via `.incbin`.

Running the wire protocol from inside SceShellCore is what lets `PT_ATTACH`

on game pids look kernel-side like an SCE-originated debug attach, which

PS5's AppContext gating allows. A standalone process doing `PT_ATTACH` gets

the game flagged and stops progressing.

---

## Network protocol at a glance

| Port | Proto | Direction | Purpose |

|-------|-------|----------------|--------------------------------------|

| 744 | TCP | client → PS5 | Command server |

| 755 | TCP | PS5 → client | Async debug interrupts |

| 3232 | TCP | PS5 → client | Kernel log forwarder |

| 1010 | UDP | bidirectional | Discovery beacon (`0xFFFFAAAA`) |

Every command begins with a 12-byte header:

```c

struct cmd_packet {

uint32_t magic; // 0xFFAABBCC

uint32_t cmd; // 0xBDAA..., 0xBDBB..., 0xBDCC..., 0xBDDD...

uint32_t datalen; // length of request body that follows

};

```

Followed by the command's fixed request struct (if any), any trailing

variable-length payload, and a `uint32_t` status code reply.

**Note on status words.** The status `uint32_t` on PS5 is transmitted with

its bit pairs swapped (`net_send_int32` swaps even/odd-bit positions). Clients

must un-bitswap incoming status values before comparing to `CMD_SUCCESS` /

`CMD_ERROR` / `CMD_DATA_NULL` / `CMD_ALREADY_DEBUG`. Subsequent payload bytes

are sent raw.

**Full protocol specification:** [PROTOCOL.md](PROTOCOL.md) - every command,

every packet struct, every enum, every status code, with `file:line`

citations.

---

## Command coverage

| Namespace | Count | Examples |

|---------------|-------|------------------------------------------------------------|

| Info / ping | 5 | `VERSION`, `FW_VERSION`, `BRANDING`, `PLATFORM_ID`, `NOP` |

| Process | 26 | `READ`, `WRITE`, `MAPS`, `CALL`, `SCAN_*`, `DISASM_*` |

| Debug | 18 | `ATTACH`, `SET_BREAKPOINT`, `GETREGS`, `STEP`, `CONTINUE` |

| Kernel R/W | 3 | `KERN_BASE`, `KERN_READ`, `KERN_WRITE` |

| Console | 6 | `NOTIFY`, `PRINT`, `REBOOT`, `INFO`, `END`, `FOREGROUND_APP` |

| **Total** | **58**| |

---

## Building

Prerequisites (Ubuntu / Debian):

```sh

sudo apt install bash clang-18 lld-18

```

Build:

```sh

./build.sh

```

This builds the SDK first (one-time, cached), then the debugger, then the

installer (which embeds the debugger), then publishes `ps5debug-NG.elf` at

the top level. Subsequent runs only rebuild what changed.

Clean (including the SDK install):

```sh

./build.sh clean

```

---

## Deploying

`ps5debug-NG.elf` is loaded onto the PS5 via a umtx-based ELF loader (e.g.

elfldr from etaHEN-class loaders).

You should see a system notification confirming the payload is alive:

```

ps5debug-NG by OSR v1.2.2 loaded!

Coded by OpenSourcereR

Special thanks to

golden, Ctn & SiSTRo! ♥

```

---

## Writing your own client

The protocol is deliberately simple - a raw TCP client in any language can

drive it. Example: pinging the server and reading its branding string, in

Python (don't forget the bit-pair swap on the status word):

```python

import socket, struct

PACKET_MAGIC = 0xFFAABBCC

CMD_BRANDING = 0xBD000501

CMD_SUCCESS = 0x40000000

def bitswap32(x):

x &= 0xFFFFFFFF

return ((x << 1) & 0xAAAAAAAA) | ((x >> 1) & 0x55555555)

s = socket.create_connection(("<PS5_IP>", 744))

s.sendall(struct.pack("<III", PACKET_MAGIC, CMD_BRANDING, 0))

(status_raw,) = struct.unpack("<I", s.recv(4))

assert bitswap32(status_raw) == CMD_SUCCESS

(length,) = struct.unpack("<I", s.recv(4))

print("server branding:", s.recv(length).decode())

```

See [PROTOCOL.md](PROTOCOL.md) for the exact byte layout of every command,

response, and async interrupt packet.

---

## Source layout

```

.

├── build.sh # one-command full build

│

├── common/ # headers + sources shared by both components

│ ├── include/ # protocol.h, sdk_shim.h, net.h, proc.h, ...

│ └── source/

│

├── debugger/ # in-SceShellCore wire-protocol debugger

│ ├── Makefile source/ include/

│ └── third_party/ # Zydis (decoder) + Keystone (assembler)

│

├── installer/ # umtx-loaded SceShellCore installer

│ ├── Makefile source/

│ └── source/embedded_inner.S # embeds debugger.elf via .incbin

│

├── ps5-payload-sdk/ # vendored John Törnblom SDK

└── third_party/ # keystone-0.9.2 full source (for rebuilds)

```

Three source files (`kern_rw_fast.c`, `proc_elf.c`, `proc_remote.c`) and

`main.c` exist in **both** `debugger/source/` and `installer/source/` because

they genuinely diverge between the two builds - same code specialized for

each component's role.

---

## SDK pin

The vendored SDK is **ps5-payload-sdk v0.38** (commit

`6ae1470fd50c5791e8a8bb728627e657e36eb55a`, dated 2026-04-02). Upstream:

https://github.com/ps5-payload-dev/sdk

To upgrade the SDK:

```sh

./build.sh clean

rm -rf ps5-payload-sdk

curl -fsSL https://github.com/ps5-payload-dev/sdk/archive/refs/tags/<TAG>.tar.gz \

| tar xz -C /tmp

mv /tmp/sdk-<TAG_WITHOUT_v> ps5-payload-sdk

./build.sh

```

---

## Credits

- **jogolden** - original public `ps4debug` and the wire protocol this project

indirectly inherits.

- **Ctn & SiSTRo** - `ps5debug` authors; this project is wire-compatible with

their implementation.

- **DeathRGH** - Frame4 author. Inspiration.

- **John Törnblom** - `ps5-payload-sdk`, the vendored SDK / toolchain.

- **Zydis** - x86 disassembler used in decoder-only mode (`ZYAN_NO_LIBC`,

`-DNDEBUG`). Third-party, unmodified; MIT-licensed.

- **Keystone** - LLVM-MC-based assembler; cross-compiled here for the PS5

payload (x86-only, `-fno-exceptions -fno-rtti`, static).

- **OSR** (OpenSourcereR) - author.

---

## License

Licensed under the **GNU General Public License v3.0** - see [LICENSE.txt](LICENSE.txt)

for the full text.

In short:

- You may use, study, modify, and redistribute this software freely.

- If you distribute a modified binary, you **must** also make the complete

corresponding source code available under the same license.

- The software is provided **without warranty** of any kind.

Backporting is getting harder, but Bestpig keeps delivering!

While backporting for lower firmwares ( 4.xx, 5.xx, etc. ) is becoming a massive technical challenge, Bestpig continues to deliver through sheer hard work and passion.

If you appreciate having the latest games running on lower FW, please consider showing some love and supporting him on Ko-fi. Let’s ensure he has the resources and motivation to keep this amazing project alive! 🙏

• ☕ ~Support/Donate here:~https://ko-fi.com/bestpig

• Thank you, Bestpig, for everything you do for the community!🚀

Remote Lua Loader

Remote lua loader for PS4 and PS5, based on gezine's findfing that allows games built with Artemis engine to load arbitrary lua file. This loader is not firmware dependant, and has been successfully tested on PS5 Pro 10.40.

Currently this loader is specific for the following list of games:

1. Raspberry Cube (CUSA16074)
2. Aibeya (CUSA17068)
3. Hamidashi Creative (CUSA27389)
4. Hamidashi Creative Demo (CUSA27390) - Requires latest firmware to download from PSN
5. Aikagi Kimi to Issho ni Pack (CUSA16229)
6. Aikagi 2 (CUSA19556)
7. IxSHE Tell (CUSA17112)
8. IxSHE Tell Demo (CUSA17126)
9. Nora Princess and Stray Cat Heart HD (CUSA13303)
10. Jinki Resurrection (CUSA25179)
11. Jinki Resurrection Demo (CUSA25180) - Requires latest firmware to download from PSN
12. Fuyu Kiss (CUSA29745)
13. Fuyu Kiss Demo (CUSA29746)
14. Nora Princess and Crying Cat 2 (CUSA13586)
15. Haruoto Alice Gram Snow Drop (CUSA14324)
16. Tonari ni Kanojo no Iru Shiawase Winter Guest (CUSA11977)
17. Mikagami Sumika no Seifuku Katsudou (CUSA11481)
18. Aerial Life (CUSA17122)

For guide on how to setup this loader, please refer SETUP.md

If you have the savedata setup and want to update the files, please refer UPDATE.md

This repo provides few payloads for you to play around. PRs for useful payloads are welcomed

Credits

• excellent blog post where most of the ideas of lua primitives are taken from
• flatz - for sharing ideas and lua implementations
• null_ptr - for helping to develop umtx exploit for PS5 & numerous helps with the loader development
• gezine - for sharing the vulnerable games & ideas
• specter & chendo - for webkit implementations which i refer a lot
• al-azif - parts and information grabbed from his sdk, aswell as from his ftp server
• horror - for the notification popup and ftp server payloads
• everyone else who shared their knowledge with the community

Note

• P2JB Works up to PS5 12.70 (patched on 13.00)
• Important note: this is not an instant exploit.
• It currently takes around 2 HOURS to trigger, so be patient.
• The big deal: PS5 10.20~12.00 users can now jailbreak and patch bdjstack.jar, making BD-JB + Poopsploit usable.

Know issue:

• Closing the game currently causes a kernel panic. So, for now, treat this mainly as a BD-J unpatch tool until that bug is fixed... Send bdj_unpatch_1320.elf from Gezine's BD-UN-JB to elfldr to unpatch BD-J.

* Some errors \

• missing SECURITY_FLAGS offset for fw ××.××.
• Debug:Missing fw offsets xx.xx.

* Solution

• you need to update your save files! by using garlic saves!

* Read the whole post to get an idea of Lua Loader, Y2JB and WebKit stuff

'_'

* Lua Loader+P2JB is set to release soon.

* The kernel panic issue when closing the game wasn't fixable at this time.

* So to allow people to unpatch BD-J up to 12.00 and then jailbreak with BD-J+Poops that'll be it's use case.

* If you're on 12.02-12.70 or in general a digital user, even if you jailbreak you can't close the game without the console shutting down so it's not that useful.

After it is released if someone else works on it or something to fix it nice. If not that's just it for now since there's other stuff to do.

* Y2JB is usable to jailbreak practically up to 12.40.

* You'll have to wait and hope for Y2JB to get working with P2JB but I expect it'll also mainly be for unpatching BD-J up to 12.00.

* I don't know how long you guys with digital consoles and with 12.02-12.40 would be willing to keep using it so don't get yourself worked up with it.

And stop fucking buying digital consoles 😭

You gotta pray at this point that the recently posted WebKit poc is exploitable for a userland. It'll take a bit of time for it to be looked into so be patient on it.

IF it is exploitable for a userland it will at least make it perfectly viable and free for any users to jailbreak up to (hopefully) 12.00 with poopsploit.

Even if it works on higher firmware you're in the same situation as lua users where the 2 hour kernel exploit is waiting and you ain't built for it ;(

By Dr.Yenyen

By BrutalSam mod Webkit Use after free in EventTarget Run test: brutal-sam.github.io/uaf-maybe/

(it may or may not be exploitable)