Jailbreak PS4 (v9.0) with ESP32-S2
So, when it comes to jailbreaking a PlayStation 4, especially firmware v9, the process is simple, but requires some manual fiddling to complete successfully. It’s not really hard, but it does require attention to timing to ensure it’s done successfully as often as possible (because remember, this is actually exploiting a flaw, so it’s not guaranteed to work every time, but it does work at least 90% of first attempts.
What’s happening with this process is that it tries to make use of a filesystem bug for the Playstation 4 on firmware 9.00, where successfully triggering it will allow you to run a specific payload that patches the kernal to remove some internal security checks and give the user system-level permissions. This results in a system that no longer needs to check for a physical disc before running a game that’s already installed, along with the ability to run third-party apps/payloads, enabling things like cheat menus and FTP servers for easier backups transfers.
The original process looks a little something like this:
- Boot the console
- Set network DNS address to match a site/service that’s publicly-accessible
- Open the PS4 web browser and navigate to a website
- Trigger the exploit
- Insert a USB thumb drive that has a specific payload on it to perform the jailbreak process and install GoldHEN in place of the PS Store.
- Remove the thumb drive at a specific time (when the notification about an invalid drive type fully goes away)
So, that process works, but requires you to not only keep track of a thumb drive dedicated just for this process, but you have to be connected to the internet, and you also have to hover over the console itself to handle the insertion/removal of the payload drive (which, remember, you’ll have to do any time the console is rebooted or power-cycled). Also, those exploit sites often go up and down and move at the whims of the hobbyists and lobbyists alike. Nothing like your process working one day, then completely broken the next because the web host shut down the site, or the kid who put it up stopped paying the bills or just got bored of it.
LAME! I like to take our PS4 up to the cabin for some idle time fun, but that means no internet, and no jailbreaking!
I found a way to improve this process, using a Raspberry Pi Zero to host one of those exploit sites completely local and independent of the internet connection, and it also gives me the ability to update the GoldHEN payload when new versions are released, too! With that in place, the process looks like:
- Boot the console
- Set DNS to local (in this case, 7.7.7.1, only needs to be done once)
- Launch Help Manual from Settings, the DNS setting will auto-redirect the browser to the site hosted on the Pi
- Select GoldHEN jailbreak option, wait a moment while the device triggers the exploit, then emulates a USB drive to provide the payload when needed.
- Close the dialog after the “invalid drive” notification clears
So the new process basically lets me manage the jailbreak process without needing to connect to an external website, without needing a dedicated USB drive, and largely automatic, except for the need to go to the local site, trigger the exploit, then clear the warning dialog at the appropriate time. It’s not difficult or even that annoying, but it could be just a little faster and a bit more automatic.
Happily, that’s now possible with an ESP32-S2, and updating the payload during active use is actually easier than with the Pi!
Before we jump into the process itself, let us first understand the advantages of using ESP32-S2 for jailbreaking.
Advantages of using ESP32-S2 for PS4 jailbreaking
No ExFATHax USB required
If you use ESP32-S2, then like the Pi process, you won’t need to prepare another USB with the exfathax.img written to it. This saves time and a lot of hassle, as you don’t have to unplug and plug this USB after every restart while jailbreaking. With ESP32-S2 and ESP32-S3, you can simply leave it plugged into the PS4 and it will take care of the jailbreaking step. This also saves you a lot of headache. Those who use the original USB ExfatHax method would know the trouble that ensues when they forget to unplug the USB before booting PS4.
Easy upload of new payloads
With Stooged’s web server that we will be using in this tutorial, adding new payloads is a breeze. We’ll cover that later in the article. That being said, it does have limited design customization ability when compared to what Index.html generator for PS4Linux exploit can accomplish. This is especially true if you have no idea about HTML coding.
No internet required
With Stooged’s web server script for Arduino boards, the board performs three functions simultaneously – as a web server, a mass storage device holding the exfathax.img and a WiFi hotspot. So, at no point would you need to connect to the internet. People who would like to avoid accidentally updating their PS4s or losing PSN access will appreciate this.
Upload your own payloads
Like the other options to host your exploits, this one allows you to upload new payloads as soon as they appear on the scene. All you need is the payload in .bin format. So, you won’t have to wait for a popular trusted host out there to upload the latest payloads to their jailbreak host site. You can also make your own payloads from source and test them easily.
How to jailbreak PS4 (9.00) with ESP32-S2?
Requirements
- => Supported ESP32-S2 Board (any of the below):
- – ESP32-S2 Mini (4MB)
- Link goes to HiLetgo version, sold on Amazon. It’s a reliable model I’ve used for multiple projects
- – TinyS2 (4MB)
- – Adafruit QT Py ESP32-S2 (4MB)
- – ESP32-S2 DevKitC-1 (4MB)
- – LILYGO TTGO T8 ESP32-S2 WOOR (4MB)
- – FeatherS2 (16MB)
- – ESP32-S2 Mini (4MB)
- => Arduino IDE
- => ESP32 Server 9.00U by Stooged (Code > Download ZIP)
- => ESPAsyncWebServer (Code > Download ZIP)
- => AsyncTCP (Code > Download ZIP)
- => Windows 10/11 (preferred)
There are many other ESP32-S2 boards that could work for this. But, many of these would require wiring to work without a standalone ExfatHax USB. So, I recommend you get any of the boards in the list above.
Once you have all these ready and downloaded, we are ready to get started with the process.
Connect ESP32-S2 to PC in programming (DFU) mode
Connect ESP32-S2 to PC using a USB cable.
Press and hold the button labelled O. While holding O, also start holding the button labelled RST.
When you hear the connected notification sound on Windows, release both buttons.
Once properly connected, your Device Manager will look like this:
As you can see, there’s a warning icon beside ESP32-S2. That’s not of concern as long as there is a device under Ports (COM & LPT). In this case, we have the ESP32-S2 connected to COM Port 6. Make a note of this.
Install and Setup Arduino IDE for programming ESP32-S2
Install/run Arduino IDE.
Open Arduino IDE and go to File > Preferences. In the blank for Additional boards manager URLs, add https://raw.githubusercontent.com/espressif/arduino-esp32/gh-pages/package_esp32_index.json. Click OK.
On the top, click on Select Board and choose ESP32S2 Dev Module or Deneyap Mini or whatever else, depending on your model. You can confirm the device using its COM Port number.
Install and Setup Arduino IDE for programming ESP32-S2
Install/run Arduino IDE.
Open Arduino IDE and go to File > Preferences. In the blank for Additional boards manager URLs, add https://raw.githubusercontent.com/espressif/arduino-esp32/gh-pages/package_esp32_index.json. Click OK.
On the top, click on Select Board and choose ESP32S2 Dev Module or Deneyap Mini or whatever else, depending on your model. You can confirm the device using its COM Port number.
Go to Tools > Board: “ESP32S2 Dev Module” > Boards Manager or click the Boards Manager icon in the left menu as shown above. Search for esp, choose version 2.0.14 and click Install. Don’t choose a later version, as it causes compiling errors down the road.
This process will take a few moments, depending on your system and setup. Wait for it to complete.
Setup ESP32 Server 9.00U and flash ESP32-S2 Board
Extract the downloaded zip file for ESP32 Server 9.00U.
On Arduino IDE, go to File > Open and browse to the file named ESP32_Server_900u.ino within the folder:
- ESP32-Server-900u-main
- ESP32-Server-900u-main
- ESP32_Server_900u
- ESP32-Server-900u-main
It should look like this
When done, the Tools area should like this example.
Go to Sketch > Include Library > Add .ZIP Library and choose the earlier downloaded ESPAsyncWebServer-master.zip. Repeat the same step to add the other library file, named AsyncTCP-master.zip.
Back on Arduino IDE, select Tools and change these settings to reflect the following values:
PSRAM : “Enabled”
Upload Mode: “Internal USB”
Confirm that ESP32S2 Dev Module is still selected. Then, click on the Upload button, or click on Sketch > Upload, or use CTRL-U on your keyboard.
This process may take a few minutes. When completed, this is what you will see in the Output console:
If you see it, disregard the error “Failed uploading: uploading error: exit status 1.” This error is coming from the IDE attempting to trigger a board reset like it would a regular Arduino, but these boards don’t work like that. These have to reset by disconnecting entirely, so you may now unplug the board from your PC.
Upload new PS4 payloads to ESP32-S2
There are a few different ways to upload newer payloads to the board. One of them is using Arduino IDE, which requires a custom script. But, this can be inconvenient for many, as each time you need to update payloads, you will have to connect the board to your PC in DFU mode. Fortunately, Stooged’s web server comes with a file uploader that is easy to access and use.
Turn on the PS4 and connect ESP32-S2 to PS4 without pressing any buttons on it.
On your PC, connect to the access point named, PS4_WEB_AP. The default password is ‘password’ unless you updated it during the initial setup and compilation phase previously.
Once connected, open a web browser and point it to http://10.1.1.1/admin.html.
Click on FIle Uploader. Browse to the .bin payloads you wish to have on the PS4. Click on Upload.
Go to File Manager to make sure that the payloads have been uploaded.
Disconnect WiFi on PC.
Step 5. Access ESP32 Server 9.00U Exploit Page on PS4
On PS4, go to Settings > Network. Enable the option that says, Connect to the Internet.
Go to Set Up Internet Connection > Use Wi-Fi > Custom.
Connect to the access point, PS4_WEB_AP with the default password, i.e., password.
Under DHCP Host Name, choose Do Not Specify.
Under DNS Settings, choose Manual and set 10.1.1.1 for both the Primary and Secondary DNS. When done, select Next.
Under Proxy Server, select Do Not Use.
When it asks to test the internet connection, press on the Circle button to exit.
To access the exploit page, go to Settings > User’s Guide and Helpful Info > User’s Guide. Alternatively, you can go to the PS4 web browser and point it to http://10.1.1.1.
That’s it!
Conclusion
Bear in mind you’ll need to go through the jailbreak/exploit process after any full reboot of the console. You should be able to go to Power Save (sleep) mode and wake without issue. Basically, when you boot your console, look for the GoldHEN icon in place of the Playstation Store. If it’s showing the PS store icon, you may need to re-jailbreak, which should be a simple manual reboot away.
One last thing that needs to be said:
This is not an official process; this is specifically breaking and bypassing the manufacturer’s built-in restrictions so we can do things they either did not intend or do not want (like being able to run game backups from any region without using a physical disc for verification). The process will fail from time to time, but it should be a pretty rare occurrence. This is not something the manufacturer tested and refined through dozens of developers, so don’t expect big huge massive company levels of stability at all times. This is a hack; you’re living on the edge, moving fast and breaking things. Sometimes broke things don’t work as expected, ya know? 😉
Also, showing you how this was done should not imply that I’ll accept responsibility for things going not-as-planned on your end. I just wrote a thing about something I did; if you choose to try what you see for yourself and something goes wrong, you’ll need to work it out for yourself as well. That’s part of the learning process too!
Now, go have some fun exploring some new possibilities with that old hardware!
