PSXHAX.COM website and domain for sale. Contact Us with your offer!
PlayStation 4 Keystone File Details on PS4 Dev Wiki by Barthen
Since the PS4 EBOOT / ELF FW Patcher Barthen Method and recent Free PS4 SaveData Decrypting Tools in development, CarlosCorcoles (aka Barthen) let us know on Twitter that he's added some information about keystone files to the PS4 developer wiki today! :ninja:

:arrow: Add Keystone GUI for PS4 FPKG Files by RoosterTeethForLife

To quote from the PSDevWiki page: Keystone

This file is generated on app package generation based on the passcode provided. It is then included in every savegame created by the app. It is used to prevent apps from mounting savedata of other apps, as you need to know at least the fingerprint to do it.

Passcode

The passcode is a 32 character string used on package generation to create the keystone file.

Structure

Size is always 96 (0x60) bytes for both PS4 and PSVita.

Offset Size Description Example
0x0 0x20 MAGIC ("keystone") and some constant bytes 6b 65 79 73 74 6f 6e 65 02 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x20 0x20 HMAC-SHA256 (32 bytes) of the bytes of the passcode using keystone_passcode_secret as key -
0x40 0x20 HMAC-SHA256 (32 bytes) of the previous two sections using keystone_ks_secret as key -
Sample keystone file generation

CSharp

Code:
public static byte [] GenerateKeystoneFile (string passcode)
{
   // 1. The first 32 bytes are constant
   byte[] keystone = {
       0x6B, 0x65, 0x79, 0x73, 0x74, 0x6F, 0x6E, 0x65, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
   };

   // 2. Convert the 32 characters of the passcode to a byte array
   byte[] passcodeInHEX = Encoding.ASCII.GetBytes(passcode);

   // 3. Calculate the...
PS4 HEN VTX: Homebrew Enabler for PS4 4.55 by XVortex Arrives
Since the 4.55 PS4 Holy Grail release today PlayStation 4 developer @XVortex announced HERE that PS4 Homebrew ENabler (HEN) for 4.55 Firmware is now released with the latest version linked below. :lovexf2:

Download: ps4-hen-vtx.bin (Latest Version) / Releases / GIT

While deimei1430 reports that "VTXHEN is more stable I don't get any hang or random shutdown," Valenroy also confirms that "installation to external HDD is still not possible yet."

PS4 developer VVildCard777 made available DumpFile455, and @stooged also shared some related PlayStation 4 updates today, including Ps4_Serve2_v1_5.apk and usb_455_vr_hen.zip updated with XVortex 4.55 HEN + Update Blocker and added the modded HEN with VR Enable mod.

Making rounds on Twitter of interest today as well:

Download: MODULES BY SEXI BURT.rar (2.18 GB)
Download...
PS4 5.X FullAutoInstall WebKit Exploit Mod and PS4 Breacher Reskin
Since the recent PS4 5.01 WebKit Exploit PoC (Proof of Concept) by ALEXZZZ9 others have been modding and skinning it including ItsXirano with the PS4 5.X FullAutoInstall WebKit Exploit and a reskinned version of the original dubbed PS4 Breacher by Monstro of IRC #ps4dev. :geekxf2:

Live Demos: PS4AutoExploit / PS4 Breacher

To quote from the README.md: PS4 5.X FullAutoInstall WebKit Exploit

Based on:
Why PS4 FAI Tool ?

Full Auto Lots of Updates More Things Coming Soon The Better Webkit Hack This exploit supports all PS4 5.XX (5.0>5.50)!

Installation
  1. Install the latest version of node from nodejs.org
  2. Clone this repository
  3. Run npm install
Usage

Use localhost , Like XAMPP to host the exploit

License

MIT License. See attached LICENSE.md file.

Webkit PS4 5.01 by Alexzzz9 dump libkernel.sprx and libSceWebkit.sprx
Thanks to both bladerunner6 and @Fimo for letting us know and to @Al Azif for the heads-up on the reskin in the PSXHAX Shoutbox. <3
Free PS4 SaveData Decrypting Tools in Development by Charlyzard, PS4 Save / VSH Utils!
Following the recent PS4Cheater homebrew app and the previously reported PS4 Sealedkey / pfsSKKey for PlayStation 4 savegame and trophy data decryption charlyzard (Twitter) of PSNCompare.com shared PS4SaveDataDecryptingTools in what he calls "just the first steps" of free and open-source PS4 SaveData Decrypting Tools in development utilizing PS4DumpSealedKeyAndSecret and PS4DecryptSaveDataKey! :ninja:

Download: PS4SaveDataDecryptingTools-master.zip / GIT / IV0000-HZHZ00001_00-SAVEDATATS000000.zip (6.06 MB - PS4-Save-Utils (2024-12-5)) via Charles_n_town / PS4-vsh-utils-main.zip (Firmware agnostic wrappers to mount/unmount/create ps4 save-, trophy files.) / GIT via hzhreal

Below are some preliminary details from the README.md, to quote: PS4SaveDataDecryptingTools
  • PS4DumpSealedKeyAndSecret
Just dumps to USB the sealed key and secret as shown here:

http://www.psdevwiki.com/ps4/Keys#Sealed_Key_Values
  • PS4DecryptSaveDataKey
Working code based on the wiki code:

http://www.psdevwiki.com/ps4/Sealedkey_/_pfsSKKey

Put the encrypted PFS key you want to decrypt in your first USB drive and name it pfskeyencrypted

This payload spits out a decryptedSaveDataKey.bin file on your USB

Thanks to @Thibobo for the...
PS4 4.55 WebKit Exploit Documentation Write-up by SpecterDev
Since his 4.05 PS4 Exploit, related Documentation, release of the full 4.55 PS4 Jailbreak and 4.55 PS4 Holy Grail homebrew enabler today PlayStation 4 developer @SpecterDev made available via Twitter his 4.55 WebKit exploit write-up for the "setAttributeNodeNS()" bug so other scene devs and enthusiasts can learn from it. :geekxf2:

Here's an excerpt from the complete setAttributeNodeNS UAF Write-up.md file, to quote: Conclusion

For a seasoned webkit attacker, this bug is trivial to exploit. For non-seasoned ones such as myself however, working with WebKit to leverage a read/write primitive from WebCore heap corruption can be confusing and challenging.

I hope through this write-up that it can help other researchers new to webkit to understand a bit of the magic that happens behind webkit exploitation, as without understanding fundamental data structures such as JSObjects and JSValues, it can be difficult to make sense of what's happening.

This is why I focused the core of the write-up on going from heap corruption to obtaining a read/write primitive, and how type confusion with internal objects can be used to achieve it.

In the next section (yet to be published), we will cover the kernel exploit portion of the 4.55 jailbreak chain. While this WebKit exploit will work on 5.02 and lower, the kernel exploit will only work on firmware 4.55 and lower.

Credits
References
Back
Top