BD-EJ
A simple payload for ejecting disks
PS4/PS5 Disc Eject Payload
Payload for ejecting the Blu-ray disc from jailbroken/exploited PS4/PS5 consoles.
Technical Information
System Daemon: SceBdSvc
The SceBdSvc daemon (Sce Blu-ray Disc Service) is the PS4/PS5 kernel component responsible for complete management of the Blu-ray optical drive. As both consoles are based on FreeBSD kernel, the drive is exposed as a standard /dev/cd0 device.
SceBdSvc Responsibilities:
- Disc insertion/removal detection
- Drive motor and mechanism control
- Tray lock/unlock management
- Interfacing with the CAM (Common Access Method) subsystem
- Communication with SceShellCore for system UI
Device and Mountpoint
| Path | Description |
|---|---|
/dev/cd0 | Main Blu-ray drive device node |
/mnt/disc | Disc filesystem mountpoint (when inserted) |
/dev/duid | Device for Disc Unique ID (used by libSceDiscId) |
Syscall and IOCTL
Disc ejection occurs through the syscall chain:
open("/dev/cd0", O_RDONLY | O_NONBLOCK) → SYS_open (syscall #5)
ioctl(fd, CDIOCALLOW) → SYS_ioctl (syscall #54)
ioctl(fd, CDIOCEJECT) → SYS_ioctl (syscall #54)
close(fd) → SYS_close (syscall #6)
IOCTLs used (defined in <sys/cdio.h>):
| IOCTL | Description | Notes |
|---|---|---|
CDIOCALLOW | Unlocks the ejection prevention mechanism | Non-critical, some drives ignore it |
CDIOCEJECT | Ejects the disc from the drive | Sends SCSI START STOP UNIT command (LoEj=1) |
CDIOCPREVENT | Locks ejection (opposite of ALLOW) | Not used in this payload |
CDIOCCLOSE | Closes the tray and loads the media | Not used in this payload |
PS4-Specific IOCTLs (Reference)
From psdevwiki, on PS4 the BD drive can also be controlled via ICC:
| IOCTL | Name | Device |
|---|---|---|
0x80019C07 | icc_device_power_control_bd_power_state | /dev/icc_device_power |
0x40019C08 | icc_device_power_get_bd_power_state | /dev/icc_device_power |
Notification System
The payload supports two on-screen notification methods:
Legacy Method (sceKernelSendNotificationRequest):
- Compatible with PS4 and PS5
notify_request_tstructure (45 byte padding + 3075 byte message)- Enabled by default
Modern Method (sceNotificationSend via libSceNotification):
- PS5 only with recent SDK
- JSON payload with icon support, sub-messages, deep-link actions
- Enable with
make MODERN_NOTIFY=1
Prerequisites
-
PS5 Payload SDK installed:
wget https://github.com/ps5-payload-dev/sdk/releases/latest/download/ps5-payload-sdk.zip sudo unzip -d /opt ps5-payload-sdk.zip export PS5_PAYLOAD_SDK=/opt/ps5-payload-sdk -
Toolchain (Debian/Ubuntu):
sudo apt-get install bash clang-18 lld-18 -
Jailbroken/exploited console with active ELF loader (elfldr, websrv, shsrv, or bdj-ipv6-hen)
Compilation
# Standard compilation (legacy notifications)
export PS5_PAYLOAD_SDK=/opt/ps5-payload-sdk
make
# With modern notifications (libSceNotification)
make MODERN_NOTIFY=1
# Clean
make clean
Deploy and Execution
Method 1: Direct Deploy (netcat/socat)
# Configure console IP
export PS5_HOST=192.168.1.100
export PS5_PORT=9021
# Deploy and execution
make test
Or manually:
nc -q0 192.168.1.100 9021 < disc_eject.elf
Method 2: Via Web Server (websrv)
If websrv is running on the console:
http://<ip-console>:8080/elfldr?payload=disc_eject.elf
Method 3: Via Shell (shsrv)
telnet <console-ip> 2323
# From shell:
/user/homebrew/bin/disc_eject.elf
Method 4: Autorun
Rename the ELF and place it:
cp disc_eject.elf /path/to/usb/autorun.bin
Debug
# Requires gdbsrv on console (port 2159)
export PS5_HOST=192.168.1.100
make debug
Error Handling
| Error | Cause | Solution |
|---|---|---|
ENOENT | /dev/cd0 not found | Digital Edition console (no drive) |
EACCES | Insufficient permissions | Kernel exploit required |
ENXIO | Drive not ready | No disc inserted |
EIO | Hardware I/O error | Drive hardware problem |
EBUSY | Device busy | A game is using the disc |
Project Structure
disc_eject/
├── main.c # Main source code
├── Makefile # Build system (ps5-payload-sdk)
└── README.md # This documentation
Integration in Other Projects
The code is designed to be easily integrated:
/* Include in your project */
#include "disc_eject.h" /* Or copy functions directly */
/* Eject the disc */
if (eject_disc() == 0) {
/* Success */
} else {
/* Error - check errno */
}
/* Send notification */
send_notification("Title", "Subtitle");
To integrate into an existing project, copy the eject_disc() and notify_legacy() functions from main.c.
References
- PS5 Payload Dev SDK
- PS5 DevWiki - Devices
- PS5 DevWiki - IOCTL
- PS4 DevWiki - IOCTL
- FreeBSD cd(4) man page
- FreeBSD cdio.h
License
GPLv3+ - See COPYING file for details.