git.seregonwar.com

README.md

BD-EJ / README.md

1	# PS4/PS5 Disc Eject Payload
2
3	Payload for ejecting the Blu-ray disc from jailbroken/exploited PS4/PS5 consoles.
4
5	## Technical Information
6
7	### System Daemon: SceBdSvc
8
9	The SceBdSvc daemon (Sce Blu-ray Disc Service) is the PS4/PS5 kernel component responsible for complete management of the Blu-ray optical drive. As both consoles are based on FreeBSD kernel, the drive is exposed as a standard `/dev/cd0` device.
10
11	SceBdSvc Responsibilities:
12	- Disc insertion/removal detection
13	- Drive motor and mechanism control
14	- Tray lock/unlock management
15	- Interfacing with the CAM (Common Access Method) subsystem
16	- Communication with SceShellCore for system UI
17
18	### Device and Mountpoint
19
20	\| Path \| Description \|
21	\|------\|-------------\|
22	\| `/dev/cd0` \| Main Blu-ray drive device node \|
23	\| `/mnt/disc` \| Disc filesystem mountpoint (when inserted) \|
24	\| `/dev/duid` \| Device for Disc Unique ID (used by libSceDiscId) \|
25
26	### Syscall and IOCTL
27
28	Disc ejection occurs through the syscall chain:
29
30	```
31	open("/dev/cd0", O_RDONLY \| O_NONBLOCK) → SYS_open (syscall #5)
32	ioctl(fd, CDIOCALLOW) → SYS_ioctl (syscall #54)
33	ioctl(fd, CDIOCEJECT) → SYS_ioctl (syscall #54)
34	close(fd) → SYS_close (syscall #6)
35	```
36
37	IOCTLs used (defined in `<sys/cdio.h>`):
38
39	\| IOCTL \| Description \| Notes \|
40	\|-------\|-------------\|------\|
41	\| `CDIOCALLOW` \| Unlocks the ejection prevention mechanism \| Non-critical, some drives ignore it \|
42	\| `CDIOCEJECT` \| Ejects the disc from the drive \| Sends SCSI START STOP UNIT command (LoEj=1) \|
43	\| `CDIOCPREVENT` \| Locks ejection (opposite of ALLOW) \| Not used in this payload \|
44	\| `CDIOCCLOSE` \| Closes the tray and loads the media \| Not used in this payload \|
45
46	### PS4-Specific IOCTLs (Reference)
47
48	From psdevwiki, on PS4 the BD drive can also be controlled via ICC:
49
50	\| IOCTL \| Name \| Device \|
51	\|-------\|------\|--------\|
52	\| `0x80019C07` \| `icc_device_power_control_bd_power_state` \| `/dev/icc_device_power` \|
53	\| `0x40019C08` \| `icc_device_power_get_bd_power_state` \| `/dev/icc_device_power` \|
54
55	### Notification System
56
57	The payload supports two on-screen notification methods:
58
59	Legacy Method (`sceKernelSendNotificationRequest`):
60	- Compatible with PS4 and PS5
61	- `notify_request_t` structure (45 byte padding + 3075 byte message)
62	- Enabled by default
63
64	Modern Method (`sceNotificationSend` via `libSceNotification`):
65	- PS5 only with recent SDK
66	- JSON payload with icon support, sub-messages, deep-link actions
67	- Enable with `make MODERN_NOTIFY=1`
68
69	## Prerequisites
70
71	1. PS5 Payload SDK installed:
72	```bash
73	wget https://github.com/ps5-payload-dev/sdk/releases/latest/download/ps5-payload-sdk.zip
74	sudo unzip -d /opt ps5-payload-sdk.zip
75	export PS5_PAYLOAD_SDK=/opt/ps5-payload-sdk
76	```
77
78	2. Toolchain (Debian/Ubuntu):
79	```bash
80	sudo apt-get install bash clang-18 lld-18
81	```
82
83	3. Jailbroken/exploited console with active ELF loader (elfldr, websrv, shsrv, or bdj-ipv6-hen)
84
85	## Compilation
86
87	```bash
88	# Standard compilation (legacy notifications)
89	export PS5_PAYLOAD_SDK=/opt/ps5-payload-sdk
90	make
91
92	# With modern notifications (libSceNotification)
93	make MODERN_NOTIFY=1
94
95	# Clean
96	make clean
97	```
98
99	## Deploy and Execution
100
101	### Method 1: Direct Deploy (netcat/socat)
102
103	```bash
104	# Configure console IP
105	export PS5_HOST=192.168.1.100
106	export PS5_PORT=9021
107
108	# Deploy and execution
109	make test
110	```
111
112	Or manually:
113	```bash
114	nc -q0 192.168.1.100 9021 < disc_eject.elf
115	```
116
117	### Method 2: Via Web Server (websrv)
118
119	If `websrv` is running on the console:
120	```
121	http://<ip-console>:8080/elfldr?payload=disc_eject.elf
122	```
123
124	### Method 3: Via Shell (shsrv)
125
126	```bash
127	telnet <console-ip> 2323
128	# From shell:
129	/user/homebrew/bin/disc_eject.elf
130	```
131
132	### Method 4: Autorun
133
134	Rename the ELF and place it:
135	```bash
136	cp disc_eject.elf /path/to/usb/autorun.bin
137	```
138
139	## Debug
140
141	```bash
142	# Requires gdbsrv on console (port 2159)
143	export PS5_HOST=192.168.1.100
144	make debug
145	```
146
147	## Error Handling
148
149	\| Error \| Cause \| Solution \|
150	\|--------\|-------\|-----------\|
151	\| `ENOENT` \| `/dev/cd0` not found \| Digital Edition console (no drive) \|
152	\| `EACCES` \| Insufficient permissions \| Kernel exploit required \|
153	\| `ENXIO` \| Drive not ready \| No disc inserted \|
154	\| `EIO` \| Hardware I/O error \| Drive hardware problem \|
155	\| `EBUSY` \| Device busy \| A game is using the disc \|
156
157	## Project Structure
158
159	```
160	disc_eject/
161	├── main.c # Main source code
162	├── Makefile # Build system (ps5-payload-sdk)
163	└── README.md # This documentation
164	```
165
166	## Integration in Other Projects
167
168	The code is designed to be easily integrated:
169
170	```c
171	/* Include in your project */
172	#include "disc_eject.h" /* Or copy functions directly */
173
174	/* Eject the disc */
175	if (eject_disc() == 0) {
176	/* Success */
177	} else {
178	/* Error - check errno */
179	}
180
181	/* Send notification */
182	send_notification("Title", "Subtitle");
183	```
184
185	To integrate into an existing project, copy the `eject_disc()` and `notify_legacy()` functions from `main.c`.
186
187	## References
188
189	- [PS5 Payload Dev SDK](https://github.com/ps5-payload-dev/sdk)
190	- [PS5 DevWiki - Devices](https://www.psdevwiki.com/ps5/Devices)
191	- [PS5 DevWiki - IOCTL](https://www.psdevwiki.com/ps5/IOCTL)
192	- [PS4 DevWiki - IOCTL](https://www.psdevwiki.com/ps4/IOCTL)
193	- [FreeBSD cd(4) man page](https://man.freebsd.org/cgi/man.cgi?cd(4))
194	- [FreeBSD cdio.h](https://man.freebsd.org/cgi/man.cgi?cdcontrol(1))
195
196	## License
197
198	GPLv3+ - See COPYING file for details.
199

Seregon/BD-EJ