## https://sploitus.com/exploit?id=0DFC8491-841C-5036-AD2D-DED5CDD8F04E
# PS4 12.00 Jailbreak + GoldHEN
One-click local proxy that jailbreaks PS4 FW 12.00 via NetCtrl kernel exploit and automatically loads GoldHEN.
No internet access needed after initial setup โ everything runs locally through a MITM proxy.
## Why This Exists
This project started as a personal learning exercise to understand PS4 exploitation by reverse engineering and improving an existing jailbreak chain:
- The original `earthonion.com` exploit had several pain points: its `serve.js` tried to save files to the PS4 filesystem via POST (which hung), and the Lapse exploit crashed with `thrd_create()` on FW 12.00
- By building a local MITM proxy, we could intercept, debug, and fix each step โ understanding exactly how the kernel exploit works, how `yield_to_render()` drives the async exploit chain, and how `binloader_init()` locates and loads GoldHEN from USB
- `serve_local.js` was written to replace the original loader โ it evals all JS directly in memory (no filesystem writes) and skips the conflicting menu UI, making the exploit more reliable and transparent
- The result is a clean, reproducible jailbreak that anyone can run from a single batch file โ and a documented reference for anyone curious about the internals
**Built for learning, shared for convenience.** All credit for the underlying exploits goes to the PS4 homebrew community.
## Requirements
- **PS4** on FW 12.00 with PS Vue app installed
- **PC** on the same network as PS4 (Windows/Linux/macOS)
- **Python 3.8+** installed
- **USB drive** (FAT32/exFAT) with `payload.bin` (GoldHEN) on the root
## Setup
### 1. Install dependencies
```
pip install mitmproxy
```
### 2. Get GoldHEN payload
Download GoldHEN v2.4b18.10 (or newer) and rename the `.bin` file to `payload.bin`. Place it on a FAT32/exFAT USB drive root.
### 3. Configure PS4 network
Settings โ Network โ Set Up Internet Connection โ Wi-Fi or LAN โ Custom:
- **IP Address**: Automatic
- **DHCP Host**: Do Not Specify
- **DNS**: Manual
- Primary: `62.210.38.92`
- Secondary: (leave blank)
- **MTU**: Automatic
- **Proxy Server**: Use
- Address: `192.168.2.1`
- Port: `8080`
- **UPnP**: Disable
> If your PC IP is different, change the proxy address to match.
### 4. Insert USB
Plug the USB with `payload.bin` into the PS4. Close any running game.
## Usage
### Windows
Double-click `start.bat`
### Linux / macOS
```
chmod +x start.sh
./start.sh
```
The proxy starts on port 8080. Then on PS4:
1. Launch **PS Vue** app
2. Navigate to `http://earthonion.com`
3. Wait. You'll see text log on screen:
- `Downloading files...`
- `FW: 12.00`
- `NetCtrl exploit starting`
- `Jailbreak Complete - JAILBROKEN`
- `Payload loaded successfully` (GoldHEN loaded)
4. The app auto-closes. Press PS button โ Settings โ GoldHEN entries appear
**Total time**: ~30-90 seconds
## Troubleshooting
| Symptom | Fix |
|---------|-----|
| "can't find variable FW_VERSION" | Re-download latest bundle |
| Exploit starts but never completes | Reboot PS4 and try again (memory conditions vary) |
| "No payload found" in logs | Check USB is inserted and `payload.bin` is on root |
| Can't connect to earthonion.com | Check PS4 proxy address/port matches PC |
| Proxy won't start | Run `pip install mitmproxy` first, check port 8080 is free |
| Black screen with no text | Close any running game before launching Vue |
## How It Works
1. PS Vue requests `earthonion.com/manifest.aes` โ proxy returns a modified manifest pointing to our local `serve_local.js`
2. `serve_local.js` downloads all exploit JS files from the local proxy (no internet needed)
3. The NetCtrl kernel exploit (`netctrl_c0w_twins.js`) runs async phases through `yield_to_render()`
4. On successful kernel exploitation, `jailbreak()` calls `binloader_init()` which:
- Searches USB paths for `payload.bin`
- Maps it into kernel memory
- Spawns it via `thrd_create()`
5. GoldHEN loads, process auto-closes
## Credits
- **[ChendoChap](https://github.com/ChendoChap)** โ original kernel exploit PoC (ipv6 UAF)
- **[TheOfficialFloW](https://github.com/TheOfficialFloW)** โ NetCtrl (sys_netcontrol UAF) kernel exploit discovery
- **[c0w-ar](https://github.com/c0w-ar/)** โ Lapse and NetCtrl porting, reverse engineering
- **[earthonion](https://github.com/earthonion)** โ UI, payload hosting, JS injection, binloader, reverse engineering
- **[SiSTR0](https://github.com/SiSTR0)** โ GoldHEN payload ([GoldHEN](https://github.com/GoldHEN/GoldHEN))
- **[Helloyunho](https://github.com/Helloyunho)** โ Lapse exploit, TypeScript port, PS4 kernel offsets
- **[ufm42](https://github.com/ufm42)** โ Userland exploit (CVE-2017-7117), reverse engineering
- **[Vuemony](https://github.com/Vuemony/vue-after-free)** โ Vue-after-free exploit framework
- **[AlAzif](https://github.com/Al-Azif)** โ Exploit table references, retail application advice, Lapse kpatches
- **[Gezine](https://github.com/Gezine)** โ Local JS method, PSN bypass research
- **[Sony](https://playstation.com)** โ VueAfterFree vulnerability in PS Vue
## Files
```
PS4-12.00-Jailbreak/
โโโ start.bat # Windows launcher
โโโ start.sh # Linux/macOS launcher
โโโ README.md
โโโ requirements.txt
โโโ proxy/
โ โโโ stock_n_hack_capture.py # mitmproxy addon
โ โโโ serve_local.js # Custom exploit loader
โโโ server/download0/ # Exploit JS files
โโโ types.js
โโโ defs.js
โโโ userland.js
โโโ loader.js
โโโ binloader.js
โโโ kernel.js
โโโ lapse.js
โโโ netctrl_c0w_twins.js
โโโ check-jailbroken.js
โโโ ftp-server.js
```