Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 CFW and Hacks       Thread starter PSXHAX       Start date Nov 22, 2016 at 11:50 PM       10      
Status
Not open for further replies.
Over the weekend we covered some PS4Link news, and today PlayStation developer @zecoxao announced on Twitter that Peek and Poke support is now added to the PS4Link GIT alongside PS Vita kernel dumping to St4rk's VitaDump GIT with details below! <3

Download: PS4Link VirtualMemQuery Sample via droogie / PS4Link GIT / VitaDump Support Dumping Kernel Modules via d3m3vilurr / VitaDump GIT /
kDump.skprx (74.25 KB) / pcff.7z (6.93 MB) / pcbc.7z (21.85 KB) / workdir.7z (47.25 KB) / vitadump.7z (207.24 KB) / VitaDump GIT (Zecoxao)

He also shared a Precompiled VitaDump kernel plugin tested on taiHENkaku Beta 4 which should dump kernel modules to ux0:/dump and with PS4 developers the NID for sceAppInstUtilAppInstallPkg: bpLyMf0oVwQ in response to @flatz's recent update.

Those who have been in the scene since at least the early PlayStation 3 days will recall Netkas and flukes1 first added Peek and Poke support to the PS3, which was then supported in countless PS3 Custom Firmware releases. (-:

Here are some related Tweets:

NIDs Explained

What are they:


Function names, variables, etc, but obfuscated. Known as (N)ame(ID)entifiers.

How to get a nid from:

PSP


sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32

Warning: Some nids have to be manually guessed! From 3.70 at least. there is no solution to find the suffix (yet)

PSVita

sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32

Warning: Some nids have to be manually guessed! there is no solution to find the suffix (yet)
Warning2: nids like module_start, etc(NONAME) have suffix c1b886af5c31846467e7ba5e2cffd64a as key

PS3

sha1 hash of string of function name plus binary key 6759659904250490566427499489741A in hex,
grab first 4 bytes, endian swap 32

Warning: nids like module_start, etc (NONAME) have suffix bc5eba9e042504905b64274994d9c41f as binary key

PS4

sha1 hash of string of function name or variable plus binary key 518D64A635DED8C1E6B039B1C3E55230
grab first 8 bytes?, endian swap 64? and finally convert to sony's special base64
(i believe replace - with = for charset)

Bruteforcing:

Using custom hashcat.

Algos:
  • PS3, Python
    Code:
    import sys, os
    import struct
    from hashlib import sha1
    import hashlib
    from base64 import b64encode as base64enc
    from binascii import unhexlify as uhx
    
    #ref https://github.com/SocraticBliss/ps4_name2nid_plugin
    
    NEW_NIDS = {}
    AEROLIB  = 'nids.txt'
    NAMES   = 'ps3_names.txt'
    
    def name2nid(name):
        symbol = sha1(name.encode() + uhx(b'6759659904250490566427499489741A')).digest()
        nid = struct.unpack('<I', symbol[:4])[0]
        NEW_NIDS[nid]=name
    
    def save_nids(NIDS):
        csvFile=open(AEROLIB,"w")
        for nid, name in sorted(NIDS.items(), key=lambda x: x[1]):
            csvFile.writelines('0x%08X %s\n' % (nid, name))
        csvFile.close()
    
    
    
    f = open(NAMES,"r")
    for line in f.readlines():
        line = line.strip()
        name2nid(line)
    
    f.close()
    
    save_nids(NEW_NIDS)
  • PS4, Python
    Code:
    import sys, os
    import struct
    #from hashlib import sha1
    import hashlib
    from base64 import b64encode as base64enc
    from binascii import unhexlify as uhx
    
    #ref https://github.com/SocraticBliss/ps4_name2nid_plugin
    
    NEW_NIDS = {}
    AEROLIB  = 'aerolib.csv'
    NAMES   = 'ps4_names.txt'
    
    def name2nid(name):
        symbol = hashlib.sha1(name.encode() + uhx('518D64A635DED8C1E6B039B1C3E55230')).digest()
        id     = struct.unpack('<Q', symbol[:8])[0]
        nid    = base64enc(uhx('%016x' % id), b'+-').rstrip(b'=')
        NEW_NIDS[nid]=name
    
    def save_nids(NIDS):
        csvFile=open(AEROLIB,"w")
        for nid, name in sorted(NIDS.items(), key=lambda x: x[1]):
            csvFile.writelines('%s %s\n' % (str(nid,'utf-8'), name))
        csvFile.close()
    
    
    
    f = open(NAMES,"r")
    for line in f.readlines():
        line = line.strip()
        name2nid(line)
    
    f.close()
    
    save_nids(NEW_NIDS)
Good links:
Thanks to @raedoob for the heads up in the PSXHAX Shoutbox! :fire:
PS4Link Gets Peek & Poke Added, VitaDump Supports Kernel Dumping.jpg
 

Comments

Will it be possible to downgrade on ps4 type: 4.05 to 4.01 or 4.06 to 4.01?

It's tricky to be expecting because psn has many promotions and some cheap games!
 
Status
Not open for further replies.
Back
Top