Category PS4 CFW and Hacks       Thread starter PSXHAX       Start date Jan 29, 2020 at 1:26 PM       8,511       19            
As part of the OpenOrbis Project initiative to provide 100% free and open source development libraries / tools and following the script earlier this week, PlayStation 4 scene developer @KIWIDOGGIE (diwidog on Twitter) of updated his KiwiDoggie Productions Github repository with a DecryptedKernelLabelSyscalls Python Script ( that creates the necessary structures and labels all syscalls from a full PS4 kernel dump. :fire:

Download: / / GIT

From on Github:
#!/usr/bin/env python

# This script will create the needed structures, and label all syscalls from a FULL kernel dump
# OpenOrbis Project providing 100% free and open source development
# **** the pirates
# Created by: kiwidog (
# Started on: Febuary 14, 2019

def find_syscalls():
    Automatically finds and labels all of the syscalls in a kernel dump
    :return: Nothing
    # Get the sysent_t structure
    sysent_id = idaapi.get_struc_id("sysent_t")
    if sysent_id == idaapi.BADNODE:
        write_log("could not get the sysent_t structure.")

    # Find the magic
    magic_offset = idaapi.find_binary(idc.MinEA(), idc.MaxEA(), "4F 52 42 49 53 20 6B 65 72 6E 65 6C 20 53 45 4C 46", 16, idc.SEARCH_DOWN)
    if magic_offset == idaapi.BADADDR:
        write_log("Could not find 'ORBIS kernel SELF' magic - sysent not found")

    magic_offset = idaapi.get_imagebase() + magic_offset

    # Find the reference to the magic
    search_pattern = "%02X %02X %02X %02X FF FF FF FF" % (magic_offset & 0xFF , ((magic_offset >> 0x8) & 0xFF) , ((magic_offset >> 0x10) & 0xFF) , ((magic_offset >> 0x18) & 0xFF))
    print("magic_offset: %x" % magic_offset)
    print("search_pattern: %s" % search_pattern)
    ref = idaapi.find_binary(idc.MinEA(), idc.MaxEA(), search_pattern, 16, idc.SEARCH_DOWN)
    if not ref:
        write_log("could not find reference for orbis kernel self.")

    if ref == BADADDR:
        write_log("could not find ref")

    # Save all of the information
    sysvec = ref - 0x60
    print("sysvec: %x" % sysvec)
    result = idaapi.set_name(sysvec, "self_orbis_sysvec", idaapi.SN_NOCHECK)
    if not result:
        write_log("could not label self_orbis_sysvec.")

    # Get the number of syscalls
    syscall_count = idaapi.get_qword(sysvec)
    sysent_offset = idaapi.get_qword(sysvec + 0x8)
    result = idaapi.set_name(sysent_offset, "sysent")
    if not result:
        write_log("could not label sysent.")

    # Get the list of syscall names
    syscall_names = find_syscall_names(sysvec, syscall_count)

    write_log("Labeling %d syscalls." % syscall_count)
    i = 0
    while i < syscall_count:
        syscall_name = syscall_names[str(i)]
        syscall_sysent_offset = sysent_offset + (i * 0x30) # sizeof(sysent_t)
        syscall_func = idaapi.get_qword(syscall_sysent_offset + 0x8)

        # Attempt to get the current function that is at this address
        func = idaapi.get_func(syscall_func)

        # If no function exists, create one there
        if not func:

        # Set the name at the start of the function as a repeatable comment
        result = idaapi.set_cmt(syscall_func, syscall_name, True)
        if not result:
            write_log("could not set comment on syscall func %s." % syscall_name)

        # Set the name of the function
        result = idaapi.set_name(syscall_func, syscall_name)
        if not result:
            write_log("could not set the syscall function name %s." % syscall_name)

        # This labels the syscall number
        result = idaapi.set_cmt(syscall_sysent_offset + 0x4, "#: %d" % i, True)
        if not result:
            write_log("could not set syscall number comment")

        # Creates a sysent_t structure
        result = idaapi.create_struct(syscall_sysent_offset, 0x30, sysent_id)
        if not result:
            write_log("could not create sysent_t structure for syscall %d %s." % (i, syscall_name))

        i += 1

    write_log("found kernel self")

def install_syscall_structures():
    id = idaapi.get_struc_id("sysent_t")

    # If this structure is already installed skip it
    if id != idaapi.BADNODE:

    id = idaapi.add_struc(idaapi.BADADDR, "sysent_t")
    if not id:
        write_log("could not add structure.")

    struct = idaapi.get_struc(id)
    if not struct:
        write_log("could not get structure.")

    op_info = idaapi.opinfo_t()
    ri_info = idaapi.refinfo_t()
    ri_info.flags = idaapi.REF_OFF64 = idaapi.BADADDR
    ri_info.base = 0
    ri_info.tdelta = 0
    op_info.ri = ri_info

    result = idaapi.add_struc_member(struct, "sy_narg", 0x0, idaapi.dword_flag(), None, 4)
    if result:
        write_log("Failed adding sy_narg to sysent_t struct.")

    result = idaapi.add_struc_member(struct, "sy_call", 0x8, idaapi.qword_flag() | idaapi.off_flag(), op_info, 8)
    if result:
        write_log("Failed adding sy_call to sysent_t struct.")

    result = idaapi.add_struc_member(struct, "sy_auevent", 0x10, idaapi.word_flag(), None, 2)
    if result:
        write_log("Failed adding sy_auevent to sysent_t struct.")

    result = idaapi.add_struc_member(struct, "sy_systrace_args_func", 0x18, idaapi.qword_flag() | idaapi.off_flag(), op_info, 8)
    if result:
        write_log("Failed adding sy_systrace_args_func to sysent_t struct.")

    result = idaapi.add_struc_member(struct, "sy_entry", 0x20, idaapi.dword_flag(), None, 4)
    if result:
        write_log("Failed adding sy_entry to sysent_t struct.")

    result = idaapi.add_struc_member(struct, "sy_return", 0x24, idaapi.dword_flag(), None, 4)
    if result:
        write_log("Failed adding sy_return to sysent_t struct.")

    result = idaapi.add_struc_member(struct, "sy_flags", 0x28, idaapi.dword_flag(), None, 4)
    if result:
        write_log("Failed adding sy_flags to sysent_t struct.")

    result = idaapi.add_struc_member(struct, "sy_thrcnt", 0x2C, idaapi.dword_flag(), None, 4)
    if result:
        write_log("Failed adding sy_thrcnt to sysent_t struct.")

def find_syscall_names(sysvec, syscall_count):
    # Ensure that we got a valid sysvec
    if sysvec == idaapi.BADADDR:

    # Hold our syscall names
    syscall_names = { }

    # Get the syscall names offset
    syscall_names_offset = idaapi.get_qword(sysvec + 0xD0)

    # Iterate through all of the syscall names and save them
    i = 0
    while i < syscall_count:
        pos = syscall_names_offset + (0x8 * i)

        idaapi.op_offset(pos, 0, idaapi.REF_OFF64)

        name_offset = idaapi.get_qword(pos)
        name_length = idaapi.get_max_strlit_length(name_offset, idaapi.STRTYPE_C)
        syscall_name = str(idaapi.get_strlit_contents(name_offset, name_length, idaapi.STRTYPE_C))

        if syscall_name.find("#") != -1 or syscall_name.find("obs_{") != -1:
            syscall_name = ("nosys_%d" % i)

        #print("#define __NR_%s %d" % (syscall_name, i))
        syscall_names[str(i)] = syscall_name
        i += 1

    return syscall_names

def write_log(message):
    idaapi.msg("[OpenOrbis] %s\n" % message)

if __name__ == "__main__":
Cheers to @HydrogenNGU for the heads-up on Twitter earlier today! šŸ»
DecryptedKernelLabelSyscalls Python Script for PS4 Scene Developers.jpg


Indie Developer

The problem (if we can call it problem) is that in this ps4 scene there are real developers, unlike the ps3 scene where there were real hackers/crackers who were going to pierce the system to encourage and enable backups.

The current dev interested in the ps4 scene do not want (publicly in their way to say) encourage backups so every public release you see is purely useless for an end-user, is only useful to developers who aspire to develop homebrew with legitimate and unleaked ***s.

As stated several times, the PS4 system is not as secure as it seems , but just think that last kex released public goes back to 5.05, no information about SAMU/keys.

So if you want to hear my advice, update your console and enjoy recent games by buying them. Because if you're not a developer or an aspiring developer, all the progress you see is useless.


Senior Member
There are 2 big AAA games are coming the top one is the last of us 2 after that I hope the will release kex kernel I knew that after 5.05 there will be a big gape like it was on ps3 3.55. Look if they release it now sony will patch upcoming framware.

Developers are doing good and it is for us. That I think maybe I am 100% wrong.


Senior Member
@Indie Developer
Thanks for the post but I'm not sure where you got the notion of... anything... for that reply (haha).

I dgaf about backups or a new kex or whatever. Not even a little. Well, ok, a little in that extracting PKGs can be fun and not having to buy them to so it is cool but beyond that I don't care.

I have a Phat that I recently updated from 505 to play Death Stranding. I also have a Pro on 455 that I haven't touched for the day I feel like 505 is worth using... like the (possibly) soon release of an open *** may allow due to more homebrew!

I agree with your sentiment of why the scene has been mostly dead but I'm just happy that it may not be dead soon for literally any reason. So that's cool, ya know, but I give zero fcks about backups or a new kex. Heck, for a new kex to do anything beyond backups it needs ports that only an easy to use *** can supply so I don't care about a new kex. It can come or go or wait or stay or whatever.

I want a lively scene that has a ton of homebrew I can use to use to mess around with so this makes that closer to reality so YAY THIS!! Haha


Guys open your eyes, there are no more hackers / crackers of the past, I remember that everything went out on ps3, including backup manager, homebrew, and every time a ps3 update came out immediately after the cfw came out, now instead you have to hope, and ugly to say but they don't have the balls like the other hackers / crackers of the past that released everything

Indie Developer

What you said is stupid. It doesn't have to be the same thing as the PS3 scene, it can never be the same just because there are different people working on it.

Simply the current developers are let's say real dev and not crackers/hackers/exploiters or as you like to call them, there's a difference between these types of categories.


All this talk about hackers being unavailable is quite funny cuz the switch is seeing warez with any update. It can be assumed that it is an hardware exploit but even switches without the Fusee Gelee exploit still get updates.

The hackers are still available but might just not be interested in PS4 for whatever reason. A new exploit will come out eventually for the ps4 either quite soon or by June or by the time ps5 gets released.

Honestly I feel ps5 has a better chance of getting an exploit than the current PS4 even though it ain't out yet.
Recent Articles
PlayStation Store Essential Picks PSN Sale with Savings Up to 70% Off
PlayStation fans can save up to 70% off critically acclaimed must-have games during the PS Store Essential Picks sale beginning today on select PSN titles including Star Wars Jedi: Fallen Order...
Sony Introduces PlayStation Player Celebration to Win Exclusive Prizes
Proceeding the launch of their Mobile & Web Competition Center, today Sony invites PlayStation Gamers to join the PlayStation Player Celebration to play games, earn Trophies to unlock shared...
Red Dead Online Recreation in Dreams on PS4 by Rikkiscafe
We've seen a MGS HD Remake, a FFVII Dreamake, some RDR2 Mods and the latest Red Dead Online PS4 creation in Dreams by Media Molecule comes from Rikkiscafe via iferraz2. šŸ¤  For those who haven't...
Hunt: Showdown Brings Bounty Hunters to PlayStation 4 Next Week
Next week join the rugged bounty hunters of Hunt: Showdown as they rid the world from the savage, nightmarish monsters roaming the Louisiana swamps! :eek: Hunt's competitive, match-based gameplay...