[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-78072":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":18,"compositeScore":19,"rankGlobal":9,"rankLanguage":9,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":23,"hasPages":21,"topics":24,"createdAt":9,"pushedAt":9,"updatedAt":25,"readmeContent":26,"aiSummary":27,"trendingCount":15,"starSnapshotCount":15,"syncStatus":18,"lastSyncTime":28,"discoverSource":29},78072,"P2JB-Y2JB-Porting","matem6\u002FP2JB-Y2JB-Porting","matem6","PS5 jailbreak via the Y2JB. Ports Gezine's p2jb kqueueex cr_ref overflow",null,"JavaScript",221,27,17,13,0,9,189,2,4.34,"MIT License",false,"main",true,[],"2026-06-12 02:03:46","# p2jb-y2jb\n\n**PlayStation 5 jailbreak (firmware 9.00 – 12.40, tested on 11.60)**\n— a port of Gezine \u002F cheburek3000's\n[p2jb](https:\u002F\u002Fgithub.com\u002FGezine\u002FLuac0re) kernel exploit (cr_ref\noverflow via `kqueueex`) from the luac0re (lua-loader) host to\n[Y2JB](https:\u002F\u002Fgithub.com\u002FGezine\u002FY2JB) (YouTube \u002F V8 JavaScript host).\n\nConfirmed working: jailbreak end-to-end + debug menu + USB-loaded\n`elfldr_1320` + persistent unpatcher delivery.\n\n> ⚠️ **Status — work in progress.** The in-memory jailbreak completes\n> reliably, but **closing the YouTube host app after `=== p2jb complete ===`\n> currently kernel-panics the console**. The\n> [post-jailbreak stability work](#known-limitations) is ongoing.\n> In practice this is not a blocker if you apply\n> [BD-UN-JB](https:\u002F\u002Fgithub.com\u002FGezine\u002FBD-UN-JB) right after the\n> jailbreak completes.\n\n> **Firmware support:** confirmed on **11.60**. The bundled offsets\n> table covers firmwares **9.00 – 12.40** (luac0re-sourced values),\n> but only 11.60 has been tested on hardware — other versions should\n> work in theory but are untested.\n\n---\n\n## How it works\n\nThe payload triggers a 32-bit `cr_ref` overflow in the PS5 kernel\n(via ~2³² `kqueueex` syscalls, ~50 minutes), uses the resulting\nuse-after-free to build a kernel read\u002Fwrite primitive, escalates the\nhost process to root, enables the debug menu, and loads\n`elfldr_1320` from USB — exposing a remote ELF loader on TCP `:9021`.\n\n---\n\n## Requirements\n\n### PS5 setup (Y2JB)\n\nThis payload runs **inside** the Y2JB userland framework on the PS5\n(the YouTube TV app modded to run arbitrary JavaScript). Before you\ncan send anything to the console, you must restore Gezine's Y2JB\nsystem backup on the PS5 — see [Gezine\u002FY2JB](https:\u002F\u002Fgithub.com\u002FGezine\u002FY2JB)\nfor the backup file and the restore procedure. Without Y2JB\nrestored and the YouTube TV app launched, the PS5 has no listener\nfor the payload and nothing will happen.\n\n### Hardware\n\n- PlayStation 5 console running firmware **9.00 – 12.40** (tested on 11.60).\n- A USB flash drive formatted FAT32 or exFAT.\n- A PC on the same LAN as the PS5.\n\n### Software (on PC)\n\n- The `payload_sender.py` delivery tool from\n  [Gezine\u002FY2JB](https:\u002F\u002Fgithub.com\u002FGezine\u002FY2JB) (not included here).\n- [Al-Azif\u002Fhermes-link](https:\u002F\u002Fgithub.com\u002FAl-Azif\u002Fhermes-link) (or any\n  equivalent tool) for delivering ELFs to the loader on `:9021`.\n\n### Files\n\n- `p2jb.js` — the jailbreak payload (this repo).\n- `elfldr_1320.elf` — included in this repo for convenience. Binary by\n  Gezine.\n\n---\n\n## Usage\n\n### 1. Prepare the USB drive\n\nCopy `elfldr_1320.elf` to the root of your USB drive (FAT32 or exFAT),\nexactly as `\u002Felfldr_1320.elf`. Plug it into the PS5 before launching\nthe payload.\n\n### 2. Send the payload\n\nFrom the PC:\n\n```sh\npython payload_sender.py \u003Cps5-ip> p2jb.js\n```\n\nThe payload streams its log back to `payload_sender.py`'s console.\n\nThe first number (`master`) is a fingerprint of how busy YouTube is at\nthat moment: lower means the app has fewer fds open and the host is\nquieter. **The rest of the run is much more likely to complete when\n`master` is 34 or less**; higher values empirically correlate with\nkernel panics later on. If `master` is above 34, close YouTube\n(Options → Close application), reopen it, wait longer this time, and\nretry from step 2.\n\n### 3. Wait ~50 minutes\n\nThe cr_ref leak dominates the runtime. The payload sender will stay\nsilent for the whole leak — no per-percentage progress is printed.\nDon't assume it has crashed; the worker is internally checked for\nliveness and a stall would surface as a `FATAL` log line. Do not\ninteract with the PS5 while it runs.\n\n### 4. Look for completion\n\n```\n[p2jb] stage_elfldr: daemon should be listening on :9021\n[p2jb] === p2jb complete ===\n```\n\nAt this point you have an in-memory jailbreak and a generic ELF loader.\nAny ELF you send to `:9021` will run on the jailbroken PS5.\n\n> ⚠️ Do **not** close the YouTube app or let the console go idle for\n> too long without doing something — see\n> [Known limitations](#known-limitations).\n\n### Sending an ELF to `:9021`\n\nA convenient tool for delivering ELFs to the loader is\n[Al-Azif\u002Fhermes-link](https:\u002F\u002Fgithub.com\u002FAl-Azif\u002Fhermes-link). It takes\ncare of the TCP handshake the loader expects, so you don't have to\nwrite the byte protocol yourself.\n\n### Next step (recommended): apply BD-UN-JB\n\nApplying [BD-UN-JB](https:\u002F\u002Fgithub.com\u002FGezine\u002FBD-UN-JB) is recommended.\nSend its unpatcher ELF to `:9021` (e.g. via the hermes-link tool above)\nand refer to BD-UN-JB's own documentation for the rest.\n\n---\n\n## Known limitations\n\n- ⚠️ **Closing the YouTube host app kernel-panics the console (WIP).**\n  After `=== p2jb complete ===`, exiting YouTube from the PS5 menu\n  triggers an improper shutdown. The post-jailbreak kernel-state\n  cleanup is not yet bulletproof. **Mitigation:** apply a persistent\n  jailbreak (e.g. [BD-UN-JB](https:\u002F\u002Fgithub.com\u002FGezine\u002FBD-UN-JB)) before\n  closing — its effect survives the panic-on-close.\n- **One run per boot.** A `p2jb.fail` marker is dropped at stage 0 entry\n  to refuse re-runs without a reboot — the triple-free is a point of\n  no return.\n- **YouTube app must stay open** until your persistent payload (if any)\n  has applied.\n\n---\n\n## A note from the author\n\nI don't normally work on PS5 exploits or low-level reverse engineering.\nThis repository is the result of a personal attempt to understand how\nthe scene's techniques work — not a contribution from a scene developer.\nI'm publishing it in case it's useful to someone on firmware 11.60 who\nis stuck, but please don't read it as me claiming expertise on the\ntopic. The real work is by the people credited below; I just tried to\nglue their primitives into a working flow on the Y2JB host and learn\nalong the way.\n\n---\n\n## Credits\n\n- **`p2jb` kernel exploit (cr_ref overflow via `kqueueex`)** —\n  Gezine \u002F cheburek3000.\n  [Luac0re](https:\u002F\u002Fgithub.com\u002FGezine\u002FLuac0re).\n- **Y2JB userland framework** — Gezine.\n  [Y2JB](https:\u002F\u002Fgithub.com\u002FGezine\u002FY2JB).\n- **`elfldr_1320`** — Gezine (ELF loader binary).\n- **`notmaj0r` remote_lua_loader p2jb port** — used as a secondary\n  reference during the port.\n- **`BD-UN-JB` persistent unpatcher** — Gezine.\n  [BD-UN-JB](https:\u002F\u002Fgithub.com\u002FGezine\u002FBD-UN-JB).\n- **lapse (Y2JB)** — referenced for the `gpu.js` debug-menu apply\n  flow; not the exploit itself (lapse exploits AIO, not `kqueueex`).\n- **Edigax** — help with the multi-core leak implementation, bringing\n  the `cr_ref` leak down from ~2 hours to ~48 minutes.\n- **Claude (Anthropic)** — AI assistant used throughout the port:\n  iterative debugging across the worker \u002F Stage 0 saga, D-fix\n  identification, host-noise gate, public release packaging.\n\n---\n\n## License\n\nMIT — see [LICENSE](LICENSE).\n","该项目提供了一种通过Y2JB实现的PS5越狱方法，支持固件版本9.00至12.40。其核心功能是利用`kqueueex`系统调用触发内核中的`cr_ref`溢出漏洞，进而获取内核读写权限，并提升主机进程至root权限，开启调试菜单以及加载USB中的`elfldr_1320`文件以启用远程ELF加载器。技术上，它基于JavaScript编写，并运行在经过修改的YouTube TV应用程序（即Y2JB框架）中。尽管目前关闭YouTube应用后会导致控制台内核崩溃，但结合其他工具如BD-UN-JB可以有效绕过这一限制。此项目适用于希望对PS5进行深度定制或研究的操作者，尤其是那些拥有一定技术水平并愿意探索未授权功能的用户。","2026-06-11 03:56:25","CREATED_QUERY"]