Userland code execution using the PS5 YouTube app.

• At least 4.03 firmware PS5

• Fake or legit activated PS5
• USA YouTube app version 1.03 PKG
• FTP access to the console

• USB flash drive
• Pre-made backup file

1. Navigate to Settings > Network > Settings > Set Up Internet Connection
2. Scroll to the bottom and select Set Up Manually
3. Choose your connection type:
   • Use WiFi: Enter network name and password manually, set security to "WPA-Personal..."
   • Use a LAN Cable: Proceed to next step
4. Under DNS Settings, change from "Automatic" to Manual
5. Set Primary DNS to 127.0.0.2 (leave Secondary DNS blank)
6. Press Done and wait for the connection to establish

Note: You may see a network/PSN connection error - this is expected and can be ignored. The console will still function normally for YouTube payload delivery.

Alternative: Block PSN servers and www.youtube.com from your custom DNS server instead of using 127.0.0.2

Note: If you're using the backup file from the releases page, you can skip this section.

You need a fake-activated account to run Y2JB properly.

If you have a legit PSN-activated account: This means your account is officially registered and activated through PlayStation Network. You cannot use this account directly with Y2JB - you must create and use a separate fake-activated account instead.

To fake activate an account:

1. Open etaHEN toolbox while logging in to created new offline account
2. Navigate to the "Remote Play" menu
3. The account will be automatically fake activated

1. Install YouTube app version 1.03 PKG on your PS5
2. Use FTP to access the following path (create if not present):

   /user/download/PPSA01650
   

3. Download download0.dat from the releases page and send it using FTP

1. Download the backup file from the releases page
2. Follow Sony's official guide to restore backup data from USB
   Note: Restoring backup WILL FACTORY RESET YOUR PS5

Note: If you're using the backup file version 1.2.1 or higher from the releases page, you can skip this section.

This script prevents YouTube from updating if you accidentally connect to the internet, which can cause softlock preventing YouTube from launching (for fix go to next section).

1. After installing the YouTube PKG, retrieve /system_data/priv/mms/appinfo.db from your PS5 using FTP
2. Place appinfo.db in the same directory as appinfo_editor.py
3. Run the script. This modifies appinfo.db to block YouTube updates:

   python appinfo_editor.py
   

4. To avoid database corruption when replacing the file:
   • Close the YouTube app
   • Navigate to the Settings page
   • Ensure no packages are being installed or updated
5. Use FTP to replace /system_data/priv/mms/appinfo.db with the modified version
6. If you do not receive any database corruption notification, reboot your PS5

This can happen when user (mostly wifi) connects to the internet before setting 127.0.0.2 DNS.

1. Once you get softlock, first connect to the internet normally without custom DNS
2. Launch YouTube again and deny the system software update popup
3. Now it will let you run YouTube
4. Run the jailbreak and load HEN
5. Now set 127.0.0.2 DNS again and uninstall YouTube
6. Follow Jailbroken PS5 section and Blocking YouTube Updates (appinfo_editor.py) section again
7. Restart PS5. Done.

Note: The Remote JS Server does not always run on port 50000. Most of the time it will use port 50000, but rarely it may use a different port - this is not a bug.

Payloads can be sent using payload_sender.py with Python installed.

Usage:

python payload_sender.py <host> <file>
python payload_sender.py <host> <port> <file>

Examples:

python payload_sender.py 192.168.1.100 helloworld.js
python payload_sender.py 192.168.1.100 50000 helloworld.js
python payload_sender.py 192.168.1.100 9020 payload.bin

Firmware Compatibility: Only works up to firmware 10.01

After the Lapse payload succeeds, you need to send the HEN or other elf binary to port 9021. You can use any TCP payload sender such as:

• netcat
• payload_sender.py

Example:

python payload_sender.py 192.168.1.100 9021 hen.bin

• shahrilnet, null_ptr - Referenced many codes from Remote Lua Loader
• ntfargo - Thanks for providing V8 CVEs and CTF writeups
• abc and psfree team - Lapse implementation
• flat_z and LM - Helping implement GPU rw using direct ioctl
• john-tornblom and EchoStretch - Providing elfldr.elf payload
• hammer-83 - Various BD-J PS5 exploit references
• zecoxao, idlesauce, and TheFlow - Helping troubleshoot dlsym
• Dr.Yenyen and PS5 R&D community - Testing Y2JB
• Rush - Creating Y2JB backup file

This tool is provided as-is for research and development purposes only. Use at your own risk. The developers are not responsible for any damage, data loss, or consequences resulting from the use of this software.