matem6/p2jb-y2jb-porting

This repository is a port of a PlayStation 5 jailbreak payload, originally written by Gezine and cheburek3000 for a Lua based host, to a different host called Y2JB that runs JavaScript inside the PS5's YouTube TV app. The README states it has been tested on PS5 firmware 11.60, and that the bundled offset table covers firmwares 9.00 through 12.40, though only 11.60 has been confirmed on real hardware. The author labels the project work in progress and says the in memory jailbreak completes reliably, but closing the YouTube host app afterwards currently triggers a kernel panic on the console. The README explains the mechanism in plain terms. A worker repeatedly calls a syscall named kqueueex, which after about two hours overflows a 32 bit reference counter in the PS5 kernel. The resulting use after free is turned into a kernel read and write primitive, which is then used to give the host process root, enable the debug menu, and load a separate program called elfldr_1320 from a USB drive. That program listens on TCP port 9021 so other binaries can be sent to the running console. Usage is laid out as a sequence. You first need to restore Gezine's Y2JB system backup on the PS5, which is documented in a separate repository. You copy elfldr_1320.elf to a FAT32 or exFAT USB stick, plug it into the PS5, open the YouTube app, wait at least sixty seconds for the host to quiet down, then send the payload from a PC using a Python tool called payload_sender.py. The payload logs back to the PC. An early pre flight check reports a number, and if it is over a threshold the run aborts cleanly without touching the kernel, so no reboot is needed before retrying. The README is candid about constraints. The long leak runs silent for about two hours and the PS5 must not be touched. Only one attempt is allowed per boot, because a marker file is dropped at stage zero to refuse a second run. The YouTube app must stay open until any persistent payload has been delivered, and the author strongly recommends sending a follow up unpatcher called BD UN JB to port 9021 right after completion so the jailbreak survives a kernel panic on app close. The author notes that they do not normally do PS5 exploit work and that the project is a personal learning attempt that glues other people's primitives onto the Y2JB host. Credits go to Gezine and cheburek3000 for the kernel exploit, to Gezine for the Y2JB framework and the ELF loader binary, and to a few reference projects used during the port. The license is MIT.