Vue After Free continues its maturation journey with a fast but extremely targeted update, which consolidates the position of this project among the most practical and complete exploit usersland currently available for PlayStation 4 consoles.

The base remains the use-after-free vulnerability connected to the CVE-2017-7117, present in the PlayStation Vue app, used to obtain arbitrary code execution directly from the console user environment.

Success rate has improved A LOT for NetControl users.https://t.co/q9ivmsrRPB

— earthonion (@earthonion) February 12, 2026

The real strength of the project is not only the initial access, but the ability to automatically connect the userland exploit userland with already known and stable kernel exploits.

This mechanism allows you to transform the input into the system in a complete and immediately operational jailbreak, without complex intermediate steps.

Depending on the firmware installed on the console, the behavior varies intelligently: up to version 12.02 Lapse is used, while from firmware 12.50 up to 13.00 enters the action NetCtrl, also known in the scene as Poopsploit.

In both cases, the goal is identical, i.e. to get a fully unlocked PS4, ready to start HEN or GoldHEN, with FTP access, load custom payloads and application of the fixes necessary for the execution of the games.

The latest update takes place precisely on the reliability and cleaning of the code. Stability improvements for the NetControl exploit were introduced thanks to the contribution of earthonion, while Al-Azif standardized the shellcode making the project more orderly and consistent.

Added also an integrated AIO Fix that tends to further simplify the application of the necessary patches.

On the usability front, concrete improvements have been integrated, such as adding running time with log recording and automatically saving in a file logs.txt.

It follows a more correct input management with command block during the press of the jailbreak button to avoid accidental errors, the correction of the auto load that generated the “fn not found” error and the resolution of a problem that caused the configuration to overwrite.

Vue After Free Userland

• CVE-2018-4441was initially applied, but due to instability and a low success rate it was abandoned.
• CVE-2017-7117is used for the userland and has been chained with the Lapse and Poopsploit (Netctrl) kernel exploits on the respective firmwares given below.

Important: The stability of Netctrl is low due to the high memory usage of the exploit compared to the memory available in Vue.

Area of vulnerability

KEX = Kernel Exploit

vue-after-free (Userland)	Lapse (KEX)	Netctrl (KEX)
5.05–13.04	1.01–12.02	1.01-13.00

Supported by this repository

This table shows firmware versions for which the current version of this repository provides a functioning and tested jailbreak.

7.00-13.00

By default, Lapse is used from version 7.00 to 12.02 and Poopsploit from 12.50 to 13.00, you can still choose to run Poopsploit even from firmware 9.00.

The exploit userland works as it is from version 5.05 to 13.02.

FAQ

Question: Does it work on 13.02 or higher?
Answer: Only userland, it is not possible to jailbreak over version 13.00 with the files in this repository.

Question: Did I start Vue and the app crashed?
Answer: If the app crashes the exploit has failed, restart the console and try again.

Question: I started Vue and the console went off, what should I do?
Answer: If a kernel panic has occurred, you may need to press the power button twice on the console, and then try again to run the exploit.

Question: How can I run a payload?
Answer: You need to close and reopen Vue between running JS payloads, while payloads .binor .elfThey can be done one after the other. Select the payload from the interface in the Payload menu.

Question: Can I run the jailbreak offline?
Answer: No. PS Vue requires any form of network connection. You don’t need to access the Internet, so you can use a Wi-Fi home network, a phone hotspot, or a network provided by a microcontroller such as ESP32 or an Ethernet network from a reused PPPwn device.

Important: The Vue save file may occasionally reset. To avoid problems, copy the encrypted save to a USB from the PS4 settings menu of the user used to jailbreak, so as to facilitate a possible future recovery.

Requirements

For PS4 already jailbroken

• PS4 user account enabled (fake or legitimate).
• FTP access to the console.
• USB stick.
• PlayStation Vue 1.01 base and patch 1.24 (referred to as “PS Vue” or “Vue” later in the guide). Download

For PS4 not jailbroken

• USB stick.
• System backup files.

Warning: System backup recovery will delete all data on the console, then apply the Vue app and related data from the exploit.

Configuration instructions

PS4 already jailbroken

A network connection of any kind is required. Before starting Vue, connect the console to a local network even if it does not have access to the Internet.

• Perform the console jailbreak.
• Enable FTP.
• Install Apollo Save Tool. https://pkg-zone.com/details/APOL00004
• Install PS Vue 1.01 pkg and patch 1.24. Download
• Connect to the console via FTP.
• Download the archive VueManualSetup.zip.
• Through FTP move in the path user/download/CUSA00960(create the path if necessary) and insert the file there download0.dat.
• Decompress the archive save.zipon the USB stick (or transfer it via FTP in /data/fakeusb/). The files will appear in USB saves as if it were a real USB stick, you can activate them in Apollo Settings > USB Save Sources so that they are the only thing displayed even when a real USB stick is connected.
• In the USB root insert HEN or GoldHEN renamed as payload.bin, or place it in /data/.
• Connect the USB stick to the console.
• In Apollo Save Tool go to USB Saves, select the PS Vue save (CUSA00960) and choose the “Copy save game to HDD” option.
• Restart the console, then open PS Vue and run the exploit by pressing the jailbreak button or by configuring the autoloader.
• Optionally, after jailbreaking run the np-fake-signin payload to avoid the PSN popup.

PS4 not jailbroken

A network connection of any kind is required here. Before starting Vue, connect the console to a local network even if it does not have access to the Internet.

• Format the USB stick in ExFAT.

Notice: This will delete all data on the key. Backup any important data.

• Download the archive VueSystemBackup.zip.
• Extract the contents of the archive to the USB device.
• Connect the USB device to the console.
• If you already have a real PSN account on your console go to Settings > Applications saved data management > Data saved in system storage and back up your USB saves (sufficient space required).
• If you can’t access the saves it means you don’t have a real PSN account or an activated fake account, so without jailbreak you can’t back up.
• Go to Settings > Storage > System Storage > Gallery Captures > Everything and back up the catches on the USB (sufficient space required).
• Go to Settings > System > Backup and Restore > Restore PS4, select the system backup and restore it.
• After restarting the console you will have a fake account activated and PS Vue with the related data of the exploit.
• In the USB root insert HEN or GoldHEN renamed as payload.bin.
• Open PS Vue and run the exploit by pressing the jailbreak button or by configuring the autoloader.
• Optionally, after jailbreaking run the np-fake-signin payload to avoid the PSN popup.

The user account ID is “11111111111111111111”, it cannot be changed, but you can create another user and activate it fake (instructions below), so while you are in jailbroken, follow the instructions above for jailbroken users by configuring PS Vue with the new account activated.

Internet connection

• Go to Settings > System > Automatic Downloads and uncheck “Highlights Content”, “System Software Update File” and “Application Update Files”.
• Go to Settings > Network > Select Connect to the Internet, and then Set up Internet connection.
• Connection: Wi-Fi or LAN cable.
• Setting: Customized.
• IP Address: Automatic.
• DHCP host name: Do not specify.
• DNS Settings: Manual.
• Primary DNS: 62.210.38,117 (leaving the secondary empty).
• MTU Settings: Automatic.
• Proxy server: Do not use.
• Test the Internet connection, if you get an IP address it means it works.

The failure of the Internet connection test does not indicate that it is not possible to connect, but only that the PS4 fails to communicate with Sony servers, and this is precisely the purpose of DNS.

Payload

Vue After Free includes some pre-installed payloads.

NP-Fake-SignIn

The np-fake-signin payload removes the first PS Vue popup that requires access to the PSN.

In the payload section of Vue you will see np-fake-signin-ps4.elf. Use it on any fake account activated via Apollo while you jailbreak and you are logged in to the target account.

Important: np-fake-signin should not run on a real PSN account.

FTP

The payload ftp-server.tsprovides a sandbox FTP to quickly replace exploit files or cosmetic files without running a kernel exploit or jailbreak.

WebUI

Example code showing how to run userland code using the browser as an interface (possible alternative to jsmaf).

ELFLDR

elfldr.elfIt is used to charge elf and bin payload after the exploit when HEN or GoldHEN have not been loaded.

AIOFIX

This elf file is automatically loaded when the Lapse kernel exploit is successfully executed. Solve problems in some games. It is not necessary for poosploit/netctrl.

Configuration

Vue includes some custom options. The jailbreak button automatically detects the firmware and uses the Lapse exploit from version 7.00 to 12.02, while from 12.50 to 13.00 uses Netctrl. You can change the default values in the configuration menu, JB Behaviour section.

Another option available is the automatic start of a kernel exploit when the Vue app is opened. You can choose whether to automatically start Lapse or Netctrl on compatible firmwares. Lapse and Auto Poop.

Finally, after a successful jailbreak, you can set the automatic closure of the app via the Auto Close option.

Automatic payload

In the file config.jsYou can add files .binor .elfto be loaded automatically when the kernel exploit is completed. HEN or GoldHEN must not be added since they are already automatically uploaded via USB or directory /data/.

Example: /mnt/sandbox/download/CUSA00960/payloads/kernel_dumper.bin

NP-Fake-SignIn

The np-fake-signin payload eliminates the first pop-up of the PS Vue asking to access the PSN. In the payload section of the Vue, enable elfldr, then send np-fake-signin-ps4.elfwith a payload sender or netcat.

Create a separate user

If you want to use a new account instead of the default one included in the system backup:

• Create a new user.
• Activate it fake with Apollo Save Tool from User Tools > Activate PS4 Accounts (optionally with the desired account ID), and then restart the console.
• On the USB extract the archive save.zipfrom the file VueManualSetup.zip.
• In Apollo Save Tool go to USB Saves, select the PS Vue save (CUSA00960) and choose the “Copy save game to HDD” option.

Note: If you need help or are having problems, you can join the Discord server.

Changelog

New

• Stability improvements for the NetControl by exploit @earthonion
• Standardization of the shellcode by @Al-Azifin #42
• Adding the integrated AIO Fix by @Al-Azifin #44
• Adding time in logs and auto-saving in logs.txtby @m2k7min #49
• Lock input when pressing the jailbreak button to avoid errors, by @m2k7min #82
• Fixed auto load error (“fn not found”).
• Fixed configuration overwriting issue.

This release focuses on NetCtrl stability improvements for users with 12.50–13.00 firmware, with additional fixes to the incoming interface in the upcoming versions.

Note: Auto Loader and Auto Close should not be used until the next release.

AIO fixes for Lapse 7.00–12.02 are now implemented as a kernel patch, replacing the AIO fix payload and kernel patches for 12.50–13.00, by @Al-Azif. Introduced also fake-signin.binto the payload menu.

The NetCtrl success rate is around 60–90%, in line with the expected rate for BD-J 12.5x with NetCtrl. The execution speed has also increased.

Obtaining 2–4 failed attempts should not be discouraged from trying again, as even Lapse may incur some consecutive negative executions.

After further optimizations beyond the first two commits, the tests between @DrYenyenand @earthonionhave recorded a success rate of 10/10 per @earthonionand 7/10 for @DrYenyenUsing NetCtrl. Feedback is required on the Vue Discord indicated in the readme.

Further improvements to NetCtrl are not expected, but they may still be tempted.

Note

If the message “Reboot and try again” or “Buffer cannot be zero” or similar appears, turn off the console completely and restart once.

After an error, the system attempts a cleanup to avoid a kernel panic (forced shutdown) and allow the user to manually shut down safely and try again. In addition, it is recommended to turn off and try again even in case of crash of the application.

See the FAQ for information on Internet connection and general troubleshooting.

Download: ManualSetup.7z (v1.4)

Download: VueSystemBackup.7z (v1.4)

Download: Source code Vue After Free v1.4

Download: GoldHEN v2.4b18.9

Original article in Italian: biteyourconsole.net