A fork of remote_lua_loader with advanced post-exploitation capabilities for PS4 firmware 11.00 and 12.02.
⚠️ DISCLAIMER: This project is for educational and research purposes only. Use at your own risk.
💡 Note: If you do not want to dump your kernel, just do not insert a USB device and you can use this exploit for full FTP access only.
This project implements several advanced kernel exploitation techniques:
- Breaks out of the PS4's BSD jail restriction
- Grants root filesystem access
- Modifies process credentials to achieve elevated privileges
- Enables access to previously restricted system areas
- Implements both static and dynamic methods to find kernel base address
- Uses EVF (Event Flag) string leak for KBASE calculation
- Dumps the entire PS4 kernel to USB storage
- Supports large kernel dumps with progress tracking
- Implements chunked reading (16KB blocks) for stability
- Includes real-time progress notifications
- After running this exploit, the game process is jailbroken
- You can use
ftp_server.luafrom the original remote_lua_loader repo - Provides full filesystem access via FTP
- No more restrictions on file browsing and transfers
- ✅ Memory operation patches (bcopy, bzero, memcpy, etc.)
- ✅ Syscall validation bypass
- ✅ sys_setuid privilege escalation
- ✅ vm_map_protect for RWX mappings
- ✅ sys_dynlib_dlsym with additional patches
- ✅ sys_kexec creation on syscall 11
- ✅ sys_mmap RWX protections
| Firmware | Status |
|---|---|
| 12.02 | ✅ Tested |
| 11.00 | ✅ Tested |
| 9.00 | ✅ Tested |
"Thanks to n0llptr for adding 9.00 offsets"
🚧 Work in Progress
- A PS4 with supported firmware
- A supported LUA game (see remote_lua_loader for list)
- Remote LUA Loader setup on your PC
- Follow the setup instructions from remote_lua_loader
- Launch your LUA-supported game on PS4
- Connect using the remote_lua_loader on your PC
- Send our modified
lapse.luafile to your PS4 - The exploit will run automatically
- Your game process is now jailbroken
- You can send
ftp_server.luafrom the original repo for full FTP access - USB kernel dumps will be saved to
/mnt/usb0/kernel.elf
The EVF constant is a kernel string that can be leaked through various vulnerabilities. We use this leak to calculate the kernel base address:
KBASE = leaked_evf_pointer - firmware_specific_evf_offset
The code includes a brute-force scanner that:
- Aligns addresses to page boundaries (0x1000)
- Scans backwards from the leaked pointer
- Validates findings using:
- ELF header magic bytes
- Target ID validation
- Credential Modification: Zeros out uid/gid fields in
p_ucred - Jail Breaking: Updates process prison pointer to
prison0 - Root Access: Replaces jail/root directory vnodes with system root vnode
- Automatic Firmware Detection: Detects running firmware and applies appropriate offsets
- Robust Error Handling: Validates operations at each step
- Progress Notifications: Real-time updates during kernel dumping
- USB Dump Support: Saves kernel dump to
/mnt/usb0/kernel.elf - FTP Compatibility: Jailbroken process allows full FTP server functionality
- Kernel memory manipulation techniques
- Process privilege escalation methods
- ELF format parsing and validation
- Memory scanning algorithms
- Filesystem jailbreak techniques