Share
## https://sploitus.com/exploit?id=0DFC8491-841C-5036-AD2D-DED5CDD8F04E
# PS4 12.00 Jailbreak + GoldHEN

One-click local proxy that jailbreaks PS4 FW 12.00 via NetCtrl kernel exploit and automatically loads GoldHEN.

No internet access needed after initial setup โ€” everything runs locally through a MITM proxy.

## Why This Exists

This project started as a personal learning exercise to understand PS4 exploitation by reverse engineering and improving an existing jailbreak chain:

- The original `earthonion.com` exploit had several pain points: its `serve.js` tried to save files to the PS4 filesystem via POST (which hung), and the Lapse exploit crashed with `thrd_create()` on FW 12.00
- By building a local MITM proxy, we could intercept, debug, and fix each step โ€” understanding exactly how the kernel exploit works, how `yield_to_render()` drives the async exploit chain, and how `binloader_init()` locates and loads GoldHEN from USB
- `serve_local.js` was written to replace the original loader โ€” it evals all JS directly in memory (no filesystem writes) and skips the conflicting menu UI, making the exploit more reliable and transparent
- The result is a clean, reproducible jailbreak that anyone can run from a single batch file โ€” and a documented reference for anyone curious about the internals

**Built for learning, shared for convenience.** All credit for the underlying exploits goes to the PS4 homebrew community.

## Requirements

- **PS4** on FW 12.00 with PS Vue app installed
- **PC** on the same network as PS4 (Windows/Linux/macOS)
- **Python 3.8+** installed
- **USB drive** (FAT32/exFAT) with `payload.bin` (GoldHEN) on the root

## Setup

### 1. Install dependencies

```
pip install mitmproxy
```

### 2. Get GoldHEN payload

Download GoldHEN v2.4b18.10 (or newer) and rename the `.bin` file to `payload.bin`. Place it on a FAT32/exFAT USB drive root.

### 3. Configure PS4 network

Settings โ†’ Network โ†’ Set Up Internet Connection โ†’ Wi-Fi or LAN โ†’ Custom:

- **IP Address**: Automatic
- **DHCP Host**: Do Not Specify
- **DNS**: Manual
  - Primary: `62.210.38.92`
  - Secondary: (leave blank)
- **MTU**: Automatic
- **Proxy Server**: Use
  - Address: `192.168.2.1`
  - Port: `8080`
- **UPnP**: Disable

> If your PC IP is different, change the proxy address to match.

### 4. Insert USB

Plug the USB with `payload.bin` into the PS4. Close any running game.

## Usage

### Windows

Double-click `start.bat`

### Linux / macOS

```
chmod +x start.sh
./start.sh
```

The proxy starts on port 8080. Then on PS4:

1. Launch **PS Vue** app
2. Navigate to `http://earthonion.com`
3. Wait. You'll see text log on screen:
   - `Downloading files...`
   - `FW: 12.00`
   - `NetCtrl exploit starting`
   - `Jailbreak Complete - JAILBROKEN`
   - `Payload loaded successfully` (GoldHEN loaded)
4. The app auto-closes. Press PS button โ†’ Settings โ†’ GoldHEN entries appear

**Total time**: ~30-90 seconds

## Troubleshooting

| Symptom | Fix |
|---------|-----|
| "can't find variable FW_VERSION" | Re-download latest bundle |
| Exploit starts but never completes | Reboot PS4 and try again (memory conditions vary) |
| "No payload found" in logs | Check USB is inserted and `payload.bin` is on root |
| Can't connect to earthonion.com | Check PS4 proxy address/port matches PC |
| Proxy won't start | Run `pip install mitmproxy` first, check port 8080 is free |
| Black screen with no text | Close any running game before launching Vue |

## How It Works

1. PS Vue requests `earthonion.com/manifest.aes` โ€” proxy returns a modified manifest pointing to our local `serve_local.js`
2. `serve_local.js` downloads all exploit JS files from the local proxy (no internet needed)
3. The NetCtrl kernel exploit (`netctrl_c0w_twins.js`) runs async phases through `yield_to_render()`
4. On successful kernel exploitation, `jailbreak()` calls `binloader_init()` which:
   - Searches USB paths for `payload.bin`
   - Maps it into kernel memory
   - Spawns it via `thrd_create()`
5. GoldHEN loads, process auto-closes

## Credits

- **[ChendoChap](https://github.com/ChendoChap)** โ€” original kernel exploit PoC (ipv6 UAF)
- **[TheOfficialFloW](https://github.com/TheOfficialFloW)** โ€” NetCtrl (sys_netcontrol UAF) kernel exploit discovery
- **[c0w-ar](https://github.com/c0w-ar/)** โ€” Lapse and NetCtrl porting, reverse engineering
- **[earthonion](https://github.com/earthonion)** โ€” UI, payload hosting, JS injection, binloader, reverse engineering
- **[SiSTR0](https://github.com/SiSTR0)** โ€” GoldHEN payload ([GoldHEN](https://github.com/GoldHEN/GoldHEN))
- **[Helloyunho](https://github.com/Helloyunho)** โ€” Lapse exploit, TypeScript port, PS4 kernel offsets
- **[ufm42](https://github.com/ufm42)** โ€” Userland exploit (CVE-2017-7117), reverse engineering
- **[Vuemony](https://github.com/Vuemony/vue-after-free)** โ€” Vue-after-free exploit framework
- **[AlAzif](https://github.com/Al-Azif)** โ€” Exploit table references, retail application advice, Lapse kpatches
- **[Gezine](https://github.com/Gezine)** โ€” Local JS method, PSN bypass research
- **[Sony](https://playstation.com)** โ€” VueAfterFree vulnerability in PS Vue

## Files

```
PS4-12.00-Jailbreak/
โ”œโ”€โ”€ start.bat                 # Windows launcher
โ”œโ”€โ”€ start.sh                  # Linux/macOS launcher
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ requirements.txt
โ”œโ”€โ”€ proxy/
โ”‚   โ”œโ”€โ”€ stock_n_hack_capture.py   # mitmproxy addon
โ”‚   โ””โ”€โ”€ serve_local.js            # Custom exploit loader
โ””โ”€โ”€ server/download0/             # Exploit JS files
    โ”œโ”€โ”€ types.js
    โ”œโ”€โ”€ defs.js
    โ”œโ”€โ”€ userland.js
    โ”œโ”€โ”€ loader.js
    โ”œโ”€โ”€ binloader.js
    โ”œโ”€โ”€ kernel.js
    โ”œโ”€โ”€ lapse.js
    โ”œโ”€โ”€ netctrl_c0w_twins.js
    โ”œโ”€โ”€ check-jailbroken.js
    โ””โ”€โ”€ ftp-server.js
```