If you find this project useful and would like to support its continued development, consider buying me a coffee!
The Source code is provided in the Source code folder under GPLv3 with all the necessary files to build it as required under GPLv3 However I will not be providing instructions on how to build it since any dev should know how to use cmake
- https://tinyurl.com/PS5IPV6 (requires you to manually send the payload but has the best stability)
- https://ps5jb.pages.dev/ (auto loads the payload for you, id recommand the IPV6 exploit over UMTX)
if you haven't already, you will need to either enable script execution globally via
Set-ExecutionPolicy Bypass
in an admin PowerShell window or run the script with this command after replacing the script path
powershell.exe -ExecutionPolicy Bypass -File C:\Path\To\send_payload.ps1
Script Usage
.\send_payload.ps1 -Payload "C:\path\to\example.elf" -IP "192.168.xxx.xxx" -Port XXXX
OR
.\send_payload.ps1
cmdlet send_payload.ps1 at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
Payload: C:\path\to\example.elf
IP: 192.168.xxx.xxx
Port: XXXX
- Common Ports: SB elfldr 9021, exploit elfldr 9020
- โ etaHEN toolbox (debug settings replacement)
- Custom etaHEN Plugins
- [Toolbox] Install the Homebrew Store on the console
- [Toolbox] โ Rest Mode Options
- [Toolbox] Remote Play Menu
- [Toolbox] Plugin / Payload ELF Menu with auto start options
- [Toolbox] External HDD Menu
- [Toolbox] TestKit Menu
- [Toolbox] Cheats Menu (WIP)
- [Toolbox] Controller Shortcuts
- [Toolbox] PS5 webMAN Games menu
- [Toolbox] Custom Game Options Menu
- [Toolbox] Display Title IDs on Home menu
- [Toolbox] Disable toolbox auto start
- [Toolbox] Blu-Ray license activation
- [Toolbox] Disc auto eject for BD-J and LUA based exploits
- [Toolbox] etaHEN credits and supporters
- [Toolbox] Custom debug settings text and icon
- [Toolbox] Auto open menu after etaHEN loads
- [Toolbox] a number of different toolbox settings
- React bundle (all FWs) & Self (only on 2.xx) FTP decryption Support
- 2 seperate daemons for improved stability and reliability
- The Util daemon will be auto restarted by the main etaHEN daemon
- Custom System Software version (custom System info)
- kstuff for fself and fpkg support
- etaHEN log in /data/etaHEN
- (optional) System-wide controller shortcut to open itemzflow
- Debug Settings
- Game Dumper (Intrgrated with Itemzflow)
- HEN config file for settings
- Jailbreak IPC call (jailbreaks Homebrew apps)
- Update blocker (unmounts update partition)
- Optional Illusions cheats/patches Plugin
- Optional FTP server on port 1337
- Optional /data allowed inside apps sandboxes
- Klog server on port 9081
- elf loader on port 9021 (use Johns elfldr)
- Optional PS5Debug
- Itemzflow intergration
- Optional Discord RPC server on port 8000, click here for setup instructions
- Optional Direct PKG installer V2 service with WebUI on http://PS5_IP:12800
- Optional Direct PKG installer service on port 9090
make your own custom plugins via the etaHEN SDK More info Here
- [Toolbox] FPS Counter
- [Toolbox] On-Screen temps and other info (for retails)
- More userland patches
- Improved PS5 Game support (itemzflow)
- More (consider donating)
etaHEN's ini settings file can be found at /data/etaHEN/config.ini and can be accessed using the built-in FTP
and is automatically created when you run etaHEN for the first time
| INI Key | Description | Default value |
|---|---|---|
PS5Debug |
0 = disables PS5Debug (Sistr0) auto load, 1 = enable PS5Debug auto load | 0 (disabled) |
FTP |
0 = disables etaHEN built-in FTP, 1 = enables it | 1 (enabled) |
discord_rpc |
0 = disables Discord RPC server, 1 = enables it | 0 (disabled) |
toolbox_auto_start |
0 = disabled, 1 = enabled | 1 (enabled) |
Allow_data_in_sandbox |
0 = disables /data in an apps sandbox, 1 = enables it | 1 (enabled) |
DPI |
0 = disables The Direct PKG Installer service, 1 = enables it | 0 (disabled) |
DPI_v2 |
0 = disables DPI version 2, 1 = enables it | 0 (disabled) |
Klog |
0 = disables kernel logging, 1 = enables it | 0 (disabled) |
ALLOW_FTP_DEV_ACCESS |
0 = disables FTP developer access, 1 = enables it | 0 (disabled) |
StartOption |
0=None, 1=Home menu, 2=Settings, 3=Toolbox, 4=itemzflow | 0 (None) |
Rest_Mode_Delay_Seconds |
Delay in seconds before patching shellui coming out rest mode | 0 (no delay) |
Util_rest_kill |
0 = don't kill the util daemon during rest, 1 = Do kill it on rest | 0 (disabled) |
Game_rest_kill |
0 = don't kill the open game during rest, 1 = Do kill it on rest | 0 (disabled) |
disable_toolbox_auto_start_for_rest_mode |
0 = disabled, 1 = enabled | 0 (disabled) |
libhijacker_cheats |
0 = disables libhijacker cheats, 1 = enables it | 0 (disabled) |
launch_itemzflow |
0 = disabled, 1 = enables auto launch of itemzflow | 0 (disabled) |
testkit |
0 = disabled, 1 = enables testkit mode | 0 (disabled) |
Display_tids |
0 = disabled, 1 = enables display of title IDs | 0 (disabled) |
APP_JB_Debug_Msg |
0 = disabled, 1 = enables app jailbreak debug messages | 0 (disabled) |
etaHEN_Game_Options |
0 = disabled, 1 = enables etaHEN game options | 1 (enabled) |
auto_eject_disc |
0 = disabled, 1 = enables automatic disc ejection | 0 (disabled) |
Cheats_shortcut_opt |
Multi-select option for cheats shortcut | 0 (CHEATS_SC_OFF) |
Toolbox_shortcut_opt |
Multi-select option for toolbox shortcut | 0 (TOOLBOX_SC_OFF) |
Games_shortcut_opt |
Multi-select option for games shortcut | 0 (GAMES_SC_OFF) |
Kstuff_shortcut_opt |
Multi-select option for kstuff shortcut | 0 (KSTUFF_SC_OFF) |
etaHEN's Direct PKG Installer currently is very simple and is considered a WIP the service flow is as follows
- Connect to etaHEN's TCP server via port 9090 (using the PS5s IP)
- Send a URL to etaHEN in the following json format
{ "url" : "http://xxxx" }
- etaHEN will then send back the return value (0 on success)
{ "res" : "0" }
- etaHEN will close the client socket after the return json is sent
enum Commands : int {
INVALID_CMD = -1,
ACTIVE_CMD = 0,
LAUNCH_CMD,
PROCLIST_CMD,
KILL_CMD,
KILL_APP_CMD,
JAILBREAK_CMD
};
struct HijackerCommand
{
int magic = 0xDEADBEEF;
Commands cmd = INVALID_CMD;
int PID = -1;
int ret = -1337;
char msg1[0x500];
char msg2[0x500];
};
int HJOpenConnectionforBC() {
SceNetSockaddrIn address;
address.sin_len = sizeof(address);
address.sin_family = AF_INET;
address.sin_port = sceNetHtons(9028); //command serve port
memset(address.sin_zero, 0, sizeof(address.sin_zero));
sceNetInetPton(AF_INET, "127.0.0.1", &address.sin_addr.s_addr);
int socket = sceNetSocket("IPC_CMD_SERVER", AF_INET, SOCK_STREAM, 0);
if (sceNetConnect(socket, (SceNetSockaddr*)&address, sizeof(address)) < 0) {
close(socket), socket = -1;
}
return socket;
}
bool HJJailbreakforBC(int& sock) {
// send jailbreak IPC command
HijackerCommand cmd;
cmd.PID = getpid();
cmd.cmd = JAILBREAK_CMD;
if (send(sock, (void*)&cmd, sizeof(cmd), MSG_NOSIGNAL) == -1) {
puts("failed to send command");
return false;
}
else {
// get ret val from daemon
recv(sock, reinterpret_cast<void*>(&cmd), sizeof(cmd), MSG_NOSIGNAL);
close(sock), sock = -1;
if (cmd.ret != 0 && cmd.ret != -1337) {
puts("Jailbreak has failed");
return false;
}
return true;
}
return false;
}
int main()
{
int ret = HJOpenConnectionforBC();
if (ret < 0) {
puts("Failed to connect to daemon");
return -1;
}
if (!HJJailbreakforBC(ret))
{
puts("Jailbreak failed");
return -1;
}
return 0;
}
- Buzzer
- sleirsgoevy
- ChendoChap
- astrelsky
- illusion
- CTN & SiSTR0 for PS5Debug
- Nomadic (Discord RPC feature)