Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
Status
Not open for further replies.
Following the 1.76 demo videos, 4.05 PS4 Kernel Exploit and PS4 4.05 Game Modding Payload alongside his Full Debug Settings Payload, today PlayStation 4 developer @2much4u made available a PS4 GTA V Native Caller via Twitter while @0x199 released a Nice Fly PS4 4.05 Game Mod and Firebreather PS4 4.05 Mod for GTAV 1.00 on Twitter proceeding his other PS4 game mods. :D

Download: PS4-GTA-V-Native-Caller-4.05.zip / GIT / nicefly_405.bin (17 KB) / firebreather_405.bin (14 KB) / PS4 GTA V Native Caller 4.05 Byroms Edit.rar (8 KB) by mb2010

For the Nice Fly PS4 4.05 Game Mod, he notes to quote: "Hold Square to fly. Once flying, hold R2 to boost. As a small addon, this version also enables North Yankton. Enjoy!"

For the Firebreather mod on PS4 4.05 for GTAV 1.00 he states: "Simply press R1 to breathe fire (don't press too many times). Ported from PC by me, credits to Kokolaty for originally developing this mod."

And from the README.md, to quote: PS4 GTA V Native Caller

A simple example of calling natives on PS4 GTA V using idc's adaptation of CTurt's PS4 ***.

Brief Explanation

Purpose

A large part of GTA V is controlled by custom script files Rockstar writes in their own format. A virtual processor is included in each version of the game to interpret these scripts. The main way for them to interact with and control the game is to invoke natives. Natives are functions defined within the game's executable. In the same way that scripts use natives to control the game, arbitrarily calling them will allow the caller to control the game to his/her desire. The purpose of this payload is to provide an easy way of doing just that. It includes a few small examples: making the player invincible, giving the player super jump, and teleporting the player when a button combination is pressed.

Setting Up Execution

First, a kernel payload is executed to escape the sandbox, escalate the web browser's privileges, and make appropriate kernel patches. The kernel payload also disables ASLR for newly created processes, making it much easier to modify them. Afterwards, the browser payload constantly checks the running processes waiting for one called eboot.bin. Once a game process is found, the syscall ptrace is used to read and write to it. With ASLR disabled, the EBOOT always starts at 0x400000 in memory. A few bytes are read from the EBOOT to verify that the game is GTA V and to detect the region.

Functions for making syscalls, invoking natives, and setting up the environment are copied into free executable space within the EBOOT. The native IS_PLAYER_ONLINE is hooked with the function to set up the execution environment. This function allocates more memory within GTA's process since the EBOOT has limited space. Once this setup function is called from GTA, the browser payload copies a standard main function into that newly allocated space and exits.

Executing Inside GTA V

Once executing within GTA V, a structure called gtaVars is declared in some arbitrarily allocated memory to keep track of global variables. The native table has the same structure as on other platforms, making it easy to work with. The native hashes on PS4 GTA V 1.00 are also the same as the 1.00 native hashes on PC, meaning the documentation on NativeDB can be used. The majority of the code in nativeHook is filtered to only execute once a frame (IS_PLAYER_ONLINE is called multiple times a frame), in order to keep things smooth. This will be more important for any drawing.

Restrictions

Functions

Functions called from nativeHook must be always inline or GTA will crash. This is because when compiled, nativeHook will expect those functions to be at specific locations relative to itself. Once nativeHook is copied to a different location, those relative addresses will be incorrect. The exceptions to this are functions declared in the payload by their absolute address such as invokeNative.

Strings

Since nativeHook is copied to a different location, strings will have the same relative address issue as called functions. A simple way around this is to define them on the stack like:
Code:
const char helloWorld[] = "hello world";
This is necessary so the compiler does not place the string in the data segment.

Global Variables

Global variables also have the same relative address issue. In order to mitigate this, keep track of global variables with the gtaVars structure defined in gta.h.

Space

By default 0x10000 bytes will be allocated for nativeHook and 0x4000 bytes for gtaVars. These sizes can be adjusted if need be.

Multiple Instances

When executed multiple times, the payloads will replace each other rather than executing simultaneously.

Miscellaneous Notes

Natives

Only a few natives are defined in natives.h. However, more can be defined as necessary.

Buttons

Button ID's for PS4 were different than last gen and PC so a simple mapping of them is included. Button_Tpad_X and Button_Tpad_Y can be used with the natives GET_CONTROL_VALUE and GET_CONTROL_NORMAL for touchpad input. Button_Tpad is just for if the touchpad is pressed.

Testing

Since this payload injects functions into EBOOT memory, different versions of the payload can be tested without having to restart GTA.

Closing Remarks

This is a fairly primitive way to go about modding a game, expect some strange and quirky bugs while using this.

Credits

Specter, CTurt, qwertyoruiopz, flatz, idc, SKFU, droogie, Xerpi, bigboss, Hunger, Takezo, and Proxima - PS4 research making all this possible

Alexander Blade and NativeDB Contributors - Native research making GTA V stuff relatively easy to port to PS4

This includes the necessary kernel patches to get ptrace working. I know many devs have been struggling with that. Also, the payload now allocates memory within gta to eliminate the limited space issue that existed on the 1.76 version.
Don't forget to recompile idc's payload *** before using this. He pushed an update today that added support for the kexec syscall which is needed for this payload.
PS4 4.05 Mod - GTA V Nice Fly Mod
GTA V Firebreather MOD Thanks to 0x199, 2much4u, seb5594 (PS4 4.05) by GrimDoe
GTA V Nice Fly Mod Overview 4.05 PS4
Thanks to both @B7U3 C50SS and @offLife for the news tips in the PSXHAX Shoutbox tonight! <3
GTA V Native Caller by 2much4u, Nice Fly PS4 4.05 Game Mod by 0x199.jpg
 

Comments

I'm using ps4-exploit-host. I run the idc exploit - send PS4HEN.bin - click ok at the popup - backout and run gta - send nicefly_405.bin. Seems to work fine for me doing it that way apart from the fire breather that freezes when i click R1.
 
I'm using ps4-exploit-host. I run the idc exploit - send PS4HEN.bin - click ok at the popup - backout and run gta - send nicefly_405.bin. Seems to work fine for me doing it that way apart from the fire breather that freezes when i click R1.

How do you send the second payload? Do you restart the manual afte you launched GTA, choose IDC and then send the nicefly payload? If I try to send the second payload right away I get following messages:
Choose a payload to send: 3
>> Sending integrated HEN...
>> Connected to PS4
>> Payload Sent!
Send another payload? (Y/n): y
┌────────────────────────────────────────────────────────┐
│ Payload │
├────────────────────────────────────────────────────────┤
│ 1. Don't send a payload │
│ 2. Integrated FTP/UART/Debug (Mistawes) │
│ 3. Integrated HEN (VV1LD) │
│ 4. Integrated FTP w/ Decryption (xvortex) │
│ 5. DumpFile405.bin │
│ 6. firebreather_405.bin │
│ 7. libftps4-master.bin │
│ 8. nicefly_405.bin │
└────────────────────────────────────────────────────────┘
Choose a payload to send: 8
>> Sending nicefly_405.bin...
ERROR: Payload sender timed out

If I close the manual, close ps4-expolit-host and restart it, then go to the manual and choose IDC again my console dies in 90% of the cases.. I was able to send the payload after sending PS4HEN with Specters exploit but there was no flying effect
 
Status
Not open for further replies.
Back
Top