zecoxao shared a guide today on how to decrypt and dump PS4 usermodules with help from skeu.
To recap for those new, the first decrypted PlayStation 4 game was done by PS4 scene release group EPEEN, and scene group TRSi also sent out a call for decryption testers recently.
Read all about it below, to quote: Tutorial: How to decrypt and dump usermodules
First of all I'd like to say thank you to the person who has allowed me to post this tutorial. His English isn't perfect so he asked me to make this tutorial on his behalf. Thanks, grass skeu
So for this, you'll need:
- ps4sdk precompiled
- elf-loader precompiled OR alternatively extreme-modding.de's elf loader (found here)
- the payload source (DumpFile.zip)
- 1.76 console
- fat32 usb pendrive
1- Fire up elf loader on your 1.76 console
2- Let it load all the way up to stage 5 without memory errors!
3- Compile the payload source. You can specify in between:
andCode:ps4KernelExecute((void*)path_self_mmap_check_function, NULL, &ret, NULL);
which module(s) you want to decrypt. if you want, you can even decrypt all modules from 1.76 Dump released a while ago! This includes elf,self,prx,sprx,sexe,sdll and eboot.bin.Code:ps4KernelExecute((void*)unpath_self_mmap_check_function, NULL, &ret, NULL);
However, take into notice that you can only decrypt usermodules from disc or psn apps when you have loaded them and minimize them (by pressing ps button), and only from absolute path! (due to npdrm management)
I have left an example:
so, the elf will be written to usb0 (rightmost port), but you can specify othersCode:decrypt_and_dump_self("/mini-syscore.elf", "/mnt/usb0/mini-syscore.elf");
4. Run listener (if you want, this is optional):
where ps4 ip is your local ip (mine is 192.168.1.72)Code:socat - TCP:my.ps4.ip.here:5052
5. Finally send payload:
specifying the path to the payload and the ip. if the payload fails to be executed with out of memory error just stabilize on stage 5 WITHOUT restarting console and try again.Code:socat -u FILE:path/to/DumpFile TCP:my.ps4.ip.here:5053
Any doubts please ask. And all credits go to grass skeu for this awesome trick
Just a small note. segment 0x6fffff01 cannot be "decrypted" from game eboots because... it's a plaintext segment in encrypted file