Userland code execution using the PS5 YouTube app.
- At least 4.03 firmware PS5
- Fake or legit activated PS5
- USA YouTube app version 1.03 PKG
- FTP access to the console
- USB flash drive
- Pre-made backup file
- Navigate to Settings > Network > Settings > Set Up Internet Connection
- Scroll to the bottom and select Set Up Manually
- Choose your connection type:
- Use WiFi: Enter your network name and password manually, then set security to "WPA-Personal..."
- Use a LAN Cable: Proceed to the next step
- Under DNS Settings, change from "Automatic" to Manual
- Set Primary DNS to
127.0.0.2(leave Secondary DNS blank) - Press Done and wait for the connection to establish
Note: You may see a network/PSN connection error - this is expected and can be safely ignored. The console will still function normally for YouTube payload delivery.
Alternative: Instead of using 127.0.0.2, you can block PSN servers and www.youtube.com from your custom DNS server.
The DNS configuration is critical for Y2JB to function properly for two technical reasons:
-
Blocking PSN Connections: Setting the DNS to 127.0.0.2 (localhost) prevents the PS5 from reaching PlayStation Network servers. This blocks both the YouTube app and system firmware update prompts that would otherwise interfere with the exploit.
-
Preventing YouTube App Connection: The YouTube app must be prevented from connecting to
www.youtube.com. If the domain resolves successfully, the exploit will run but the YouTube app will kill it after approximately 2 seconds and replace it with the normal YouTube page. While Y2JB includes a built-in patch to prevent this behavior, the patch is not perfect. Therefore, blockingwww.youtube.comvia DNS is still recommended to ensure reliable exploit execution.
Note: If you're using the backup file from the releases page, you can skip this section.
Y2JB requires a fake-activated account to run properly.
Important: If you have a legit PSN-activated account (officially registered through PlayStation Network), you cannot use it directly with Y2JB. You must create and use a separate fake-activated account instead.
To fake activate an account:
- Create a new offline account on your PS5
- While logging in to this new account, open etaHEN toolbox
- Navigate to the "Remote Play" menu
- The account will be automatically fake activated
- Install YouTube app version 1.03 PKG on your PS5
- Use FTP to access the following path (create if not present):
/user/download/PPSA01650 - Download
download0.datfrom the releases page and send it using FTP
- Download the backup file from the releases page
- Follow Sony's official guide to restore backup data from USB
Note: If you're using backup file version 1.2.1 or higher from the releases page, you can skip this section.
This script prevents the YouTube app from updating if you accidentally connect to the internet. Allowing updates can cause a softlock that prevents YouTube from launching (see next section for fix instructions).
Steps:
- After installing the YouTube PKG, retrieve
/system_data/priv/mms/appinfo.dbfrom your PS5 using FTP - Place
appinfo.dbin the same directory asappinfo_editor.py - Run the script to modify
appinfo.dband block YouTube updates:python appinfo_editor.py - Before replacing the file on your PS5 (to avoid database corruption):
- Close the YouTube app completely
- Navigate to the Settings page
- Ensure no packages are currently being installed or updated
- Use FTP to replace
/system_data/priv/mms/appinfo.dbwith the modified version - If you don't receive any database corruption notification, reboot your PS5
This issue typically occurs when you connect to the internet before setting the 127.0.0.2 DNS (most common with WiFi users).
Recovery steps:
- Once softlocked, connect to the internet normally without custom DNS
- Launch YouTube again and deny the system software update popup
- The YouTube app should now launch successfully
- Run the jailbreak and load HEN
- Set the DNS to 127.0.0.2 again, then uninstall YouTube
- Follow the Jailbroken PS5 section and Blocking YouTube Updates (appinfo_editor.py) section again
- Restart your PS5. Done.
Note: The Remote JS Server does not always use port 50000. While it typically defaults to port 50000, it may occasionally use a different port - this is normal behavior, not a bug.
You can send payloads using payload_sender.py (requires Python).
Usage:
python payload_sender.py <host> <file>
python payload_sender.py <host> <port> <file>
Examples:
python payload_sender.py 192.168.1.100 helloworld.js
python payload_sender.py 192.168.1.100 50000 helloworld.js
python payload_sender.py 192.168.1.100 9020 payload.bin
Firmware Compatibility: Only works up to firmware 10.01
After the Lapse payload succeeds, you need to send the HEN or other elf binary to port 9021. You can use any TCP payload sender such as:
netcatpayload_sender.py
Example:
python payload_sender.py 192.168.1.100 9021 hen.bin
- shahrilnet, null_ptr - Referenced many codes from Remote Lua Loader
- ntfargo - Thanks for providing V8 CVEs and CTF writeups
- abc and psfree team - Lapse implementation
- flat_z and LM - Helping implement GPU rw using direct ioctl
- john-tornblom and EchoStretch - Providing elfldr.elf payload
- hammer-83 - Various BD-J PS5 exploit references
- zecoxao, idlesauce, and TheFlow - Helping troubleshoot dlsym
- Dr.Yenyen and PS5 R&D community - Testing Y2JB
- Rush - Creating Y2JB backup file
This tool is provided as-is for research and development purposes only. Use at your own risk. The developers are not responsible for any damage, data loss, or consequences resulting from the use of this software.
