Published a quick update for P2JB-Y2JB-Porting, one of the most followed and evolving projects of the scene, which integrates the well-known P2JB kernel exploit directly within the Y2JB framework, better known in the community as YouTube Jailbreak.

he work behind this porting continues to be carried out by matem6, which regularly updates the P2JB-Y2JB-Porting project with the aim of making the integration between the P2JB exploit kernel and the Y2JB userland framework increasingly solid.

The result is an increasingly consistent structure, which aims to reduce friction between the various components and improve the overall stability of the entire flow.

Y2JB, remember, uses the YouTube app environment on PS5 to get userland code execution via JavaScript, while P2JB represents the kernel part based on searches and implementations already known in the community.

The porting of matem6 fits in this meeting point, trying to unify the two levels in a single, more manageable and modern chain.

With version 2.4 come several relevant technical changes. The most important is the ELF loader, which is now run directly from the Y2JB sandbox without the support of kexp.

The file elfldr_1320is in fact read directly from one of the sandbox slots of the framework and started through the functions elf_parseed elf_run, replacing the previous shellcode-based delivery system used in the Y2JB 1.4 version.

Another significant feature is the Debug Settings, which is now being automatically activated by P2JB via DMA GPU scripts directly on the kernel read-only memory .data.

This mechanism acts on internal parameters such as security_flags, target_id, qa_flagsand utoken_flags, making the process more direct and automated than previous versions.

On the compatibility front, the 2.4 release also introduces better support for the different variants of the Y2JB framework.

The system is able to recognize and manage both version 1.3 and 1.4, by performing an automatic probing of files elfldr_1320_v5.elfand elfldr.elfto dynamically adapt to the available environment.

Requirements

Setup PS5 (Y2JB)

This payload runs within the Y2JB userland framework on PS5 (the YouTube TV app modified to run arbitrary JavaScript). Before you can send anything to the console, you need to restore Gezine’s Y2JB system backup on the PS5 (see Gezine/Y2JB for the backup file and recovery procedure).

Without Y2JB restored and without the YouTube TV app started, the PS5 has no listener for payload and therefore nothing will happen.

Hardware

  • PlayStation 5 console with firmware 9.00 – 12.40 (tested on 11.60).
  • USB flash drive formatted FAT32 or exFAT.
  • PC connected to the same LAN network as the PS5.

Software (on PC)

  • Payload sending tool payload_sender.pyby Gezine/Y2JB (not included here).
  • Al-Azif/hermes-link (or any equivalent tool) to send ELF to the loader on the port :9021.

File

  • p2jb.js— jailbreak payload (in this repository).

Use

1. Send the payload

From PC: python payload_sender.py <ps5-ip> p2jb.js

The payload will send real-time logs to the console of payload_sender.py.

The first number (master) represents a sort of “imprint” of the activity level of YouTube at that time: the lower the value, the less file descriptor they are open and the more the host is considered “silent”.

The whole process is much higher than it is likely to be properly completed when the value masteris 34 or less; higher values were empirically associated with kernel panics in the later stages of the exploit.

If the value masterexceeds 34, it is recommended to close YouTube completely (Options → Close application), reopen the app, wait longer than the previous attempt and try again from point 1.

2. Wait about 50 minutes

The leak cr_refrepresents the part that almost totally dominates the execution time. During this phase the payload sender will remain completely silent and no progress will be shown.

It should not be assumed that the process crashed: the worker is monitored internally to verify the correct execution and a possible real block would appear via a row of logs FATAL. Throughout the procedure it is important not to interact with the PS5.

3. Verify completion

[p2jb] stage_elfldr: daemon should be listening on :9021
[p2jb] === p2jb complete ===

It means that the jailbreak in memory is active and that the ELF loader is available. Any ELF sent to the door :9021will be run on the jailbroken PS5.

Warning: Do not close the YouTube app and do not leave the console inactive for too long without having applied persistence measures — see Note Limitations.

Sending an ELF on :9021

A convenient tool to send ELF to the loader is Al-Azif/hermes-link. It automatically manages the TCP handshake required by the loader, avoiding having to manually implement the protocol.

Next step (recommended): apply BD-UN-JB

It is recommended to apply BD-UN-JB. Send the relevant ELF unpatcher to the door :9021(e.g. via hermes-link) and follow the dedicated BD-UN-JB documentation for later details.

Tuning: leak speed vs stability

The leak cr_refis performed on multiple “pinnati” worker threads in parallel. The default configuration uses 4 cores (core 0–3), while the core 4 remains free for the orchestrator:


// p2jb.js
const LEAK_CORES = [0, 1, 2, 3];   // ~48 min, impostazione predefinita

On hardware systems that are unstable with 4 active cores (e.g. kernel panic during the leaks or executions phase that never make it to Stage 0), reducing the number of cores used allows you to exchange execution time with greater stability.

Less worker in parallel means less contention on the kernel allocator kqueueexand a higher probability of correct completion of the procedure.

LEAK_CORESTotal timeNotes
[0, 1, 2, 3]~50 minDefault — faster, less stable
[0, 1, 2]~1hThree cores — slightly more stable
[0, 1]~1h 30 minIntermediate compromise
[0]~2hSingle-core — slower, maximum stability

To change this setting, simply open the file p2jb.js, look for the variable LEAK_CORES, modify the array, save the file and run payload_sender.pyas usual.

In general, it is recommended to start from the default configuration and reduce the number of cores only in case of kernel panics during the leak or if Stage 0 is not reached after more than an hour.

Known limitations

Note: Closing the YouTube host app causes kernel panic of the console (WIP). After === p2jb complete ===, exiting the PS5 menu causes an incorrect shutdown. Cleaning post-jailbreak kernel status is not yet stable.

Mitigation: Apply a persistent jailbreak (e.g. BD-UN-JB) before closing — its effect survives panic-on-close.

  • master_rfd > 34interrupt the execution. Restart YouTube and try again. It’s intentional: a more “noisy” host increases the likelihood of crashing in the stage transition 0 → stage 1.
  • One attempt to boot. A marker is created p2jb.failto stage 0 to prevent re-execution without restart.
  • The YouTube app must remain open until a persistent payload is applied. elfldrrun as a daemon thread inside the YouTube process.

Changelog

  • ELF loader from Y2JB sandbox (without kexp). The file elfldr_1320is now read directly from one of the Y2JB sandbox slots and started via the functions elf_parseed elf_run, replacing the shellcode distribution kexpby Y2JB 1.4.
  • The Debug Settings menu is enabled directly by P2JB via DMA GPU writes on the kernel read-only section .data(security_flags, target_id, qa_flags, utoken_flags).
  • Support for Y2JB 1.3 alongside 1.4, with automatic detection of both files elfldr_1320_v5.elfed elfldr.elf.

Download: Y2JB-P2JB
Download: nanoDNS
Download: PS5 Bdjb Autoloader
Download: Bdj Unpatch
Download: Y2JB 1.5
Download: Y2JB Remote JS Loader

Original article in Italian: biteyourconsole.net

Categorized in:

PS5

Tagged in:

, , , , , , , ,