Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 CFW and Hacks       Thread starter PSXHAX       Start date Sep 21, 2020 at 12:15 AM       110      
Status
Not open for further replies.
Earlier this month @2much4u (Twitter) shared a GTA V Native Caller PS4 Port to GTA 1.32 WIP Pack via @Andrew Marques (Twitter), and today he extended the invitation to anyone else interested in finishing his work-in-progress (WIP) for Grand Theft Auto V PS4 scene fans. :geek:

Download: PS4-GTA-V-Native-Caller.bin (1 MB - US) / PS4-GTA-V-Native-Caller.bin (1 MB - EU - Crashes) / PS4-GTA-V-Native-Caller.zip (515 KB - WIP Pack) / PS4-GTA-V-Menu-Base-6.72-1.00.zip / ArabicGuy-1.0-6.72-1.32.zip via cspencer49519 (GraFfiX49519) / PS4 GTA V Native Caller GIT / PS4-GTA-V-Menu-Base-6.72-1.00.zip via Mustafa0436 / PS4 GTA V Menu Base GIT / ArabicGuy.rar (60 KB - 1.27 bin) / ArabicGuy-1.0-132.bin.zip (70 KB - 1.32 bin) / GTA ArabicGuy Menu.zip (201 KB - includes ArabicGuy100.bin, ArabicGuy127.bin and ArabicGuy132.bin) / Lamance_672_132_.bin (1.02 MB - Lamance Menu v0.8 for 1.32 on PS4 6.72) via david1337hax / Lamance_672_132_fixed.bin (1.02 MB - Lamance Menu v0.8.1 for 1.32 on PS4 6.72) via david1337hax / GTAV Mods 7.02 Ports via @karo218 / BeefQueefMod-672-702-v133.zip (323 KB) / GTAV 75X.zip (7.1 MB - GTAV 75X Payload Ports) / BeefQueefMod-PS4-900-133.zip (165 KB - includes BeefQueefMod-PS4.bin)

From 2much4ux's Tweet below, to quote: "I mostly ported GTA V Native Caller to GTA 1.32, but didn't have time to finish before school hit. I tossed the unfinished source at Andrew a while back. If anyone wants to try to complete it, go for it!"

This latest Grand Theft Auto V pack comes following the previously released GTA V Native Caller, GTA 5 Native Caller Updates, GTA V Menu Base PS4 Mod Menu GUI, more GTA V Native Caller Updates, another GTA V Native Caller / Invoker, GTA V PS4 5.05 LTS Menu Base 1.27 with Native Caller and GTA 5 Mod Menus from earlier this year.

From the README.md: PS4 GTA V Native Caller

A simple example of calling natives on PS4 GTA V using Vortex's adaptation of CTurt's PS4 ***.

Brief Explanation

Purpose


A large part of GTA V is controlled by custom script files Rockstar writes in their own format. A virtual processor is included in each version of the game to interpret these scripts. The main way for them to interact with and control the game is to invoke natives.

Natives are functions defined within the game's executable. In the same way that scripts use natives to control the game, arbitrarily calling them will allow the caller to control the game to his/her desire. The purpose of this payload is to provide an easy way of doing just that. It includes a few small examples: making the player invincible, giving the player super jump, and teleporting the player when a button combination is pressed.

Setting Up Execution

First, a kernel payload is executed to escape the sandbox, escalate the web browser's privileges, and make appropriate kernel patches. The kernel payload also disables ASLR for newly created processes, making it easier to modify them. Afterward, the browser payload constantly checks the running processes waiting for one called eboot.bin.

Once a game process is found, the syscall ptrace is used to read and write to it. With ASLR disabled, the EBOOT always starts at 0x400000 in memory. A few bytes are read from the EBOOT to verify that the game is GTA V and to detect the region. A small function for setting up the execution environment is copied into free executable space in the EBOOT and IS_PLAYER_ONLINE is hooked to call it.

This function allocates more memory within GTA's process since the EBOOT has limited space. Once the setup is complete, the GTA payload is copied into the newly allocated space, the setup function starts executing it, and the browser payload exits.

Executing Inside GTA V

The GTA payload will execute any time the native IS_PLAYER_ONLINE is called by one of Rockstar's scripts. GTA V has a native lookup table that allows for quickly obtaining a native's address from its hash. However, on newer versions of the game, that table is obfuscated. Therefore, this payload calls natives directly by address rather than using the lookup table.

Native functions are the same as they are on the PC version of the game, meaning the documentation on NativeDB can be used. The majority of the code in the GTA payload is filtered to only execute once a frame (IS_PLAYER_ONLINE is called multiple times a frame), in order to keep things smooth. This will be more important for any drawing.

Miscellaneous Notes

Building


The GTA payload is automatically built and included in the browser payload, so you only need to run make in the main directory.

Buttons

An official documentation of button indices is included in gtaPayload/include/types.h, however it uses XBOX names. So, Y is triangle, X is square, etc.

Testing

Since this injects a payload into GTA's process, multiple versions can be tested without having to restart the game. Each instance will replace the previous one, so multiple payloads cannot be run at once.

Credits
  • Specter, CTurt, qwertyoruiopz, flatz, idc, SKFU, droogie, Xerpi, bigboss, Hunger, Takezo, and Proxima - PS4 research making all this possible
  • Alexander Blade and NativeDB Contributors - Native research making GTA V stuff relatively easy to port to PS4
  • EROOTIIK - Obtaining and parsing the vast majority of native addresses
Also from the README.md: LTS Menu Base Port

A simple menu base ported from PS3 LTS Menu using the source.

Credits:

2Much4u and EROOTIK, 2Much4u for the native caller and EROOTIK for everything for 1.27. Oh, and whoever leaked the LTS menu source.

And from the other README.md: PS4 GTA V Menu Base

A mod menu GUI for PS4 GTA V built on top of my native caller.

How to Activate
  • Press DPAD RIGHT + SQUARE
PAY ATTENTION PLEASE!

This mod menu is very unstable and will most likely crash GTA V many times before you get it to work. If you load ArabicGuy first, then close the game. Then load this mod menu, it will work. Also the mod menu will only work with Leeful's HEN

Pictures

GTA V Native Caller PS4 Port to GTA 1.32 WIP Pack by 2much4u 2.jpg GTA V Native Caller PS4 Port to GTA 1.32 WIP Pack by 2much4u 3.jpg GTA V Native Caller PS4 Port to GTA 1.32 WIP Pack by 2much4u 4.jpg GTA V Native Caller PS4 Port to GTA 1.32 WIP Pack by 2much4u 5.jpg
PAY ATTENTION PLEASE!

This mod menu is very unstable and will most likely crash GTA V many times before you get it to work. If you load ArabicGuy first, then close the game. Then load this mod menu, it will work.

Key Features
  • Unlimited submenus
  • Unlimited options
  • Option & submenu remembrance
  • Auto adjusting and scrolling background
  • Full customization
  • Simple keyboard input and handling
  • Support for numerous dynamic option types
  • Button instructions display
  • Example options and vehicle spawner
Notes

While the example submenus showcase much of the menu base's functionality, more is possible. Check out menu.cpp for all supported option types.

Menu::vehicleSpawn and Menu::vehicleToSpawn are only for the example vehicleSpawner submenu and are unnecessary to the overall menu base.

The UI is fairly simple and open to more advanced customization such as the addition of sprites.

Spoiler: Related Tweets / Videos

GTA V Native Caller PS4 Port to GTA 1.32 WIP Pack by 2much4u.jpg
 

Comments

@kevambert Well, if thats the case. But the files i uploaded is only for 1.00, so if you have used one of them, you now have the answer on why it didn't work. What about the 1.27 i did ? What happens if you run these 2 ?
 
@Mustafa0436 @kevambert Looking at GiantPlutos psdebug for 6.72, I think we may need the complete "patch kernel" section. This is why I'm going to attempt to implement the ksdk instead of libps4. Unless anyone knows how to write the equivalent code? The code for ps4debug is where I found the second ptrace patch.
 
@GraFfiX420
are you saying there are two ptrace_check like from firmware 4.05
this is from 2much4u 4.05-1.27 Menu-Base
Code:
    kern.c
    // Disable ptrace checks
    ptrKernel[KERN_PTRACE_CHECK_1] = 0xEB;
    *(uint16_t*)&ptrKernel[KERN_PTRACE_CHECK_2] = 0x27EB;
    
    kern.h
    #define KERN_PTRACE_CHECK_1 0xAC2F1
    #define KERN_PTRACE_CHECK_2 0xAC6A2

do you have a link to where you found the second ptrace patch
 
@kevambert Yes, that's exactly what I'm saying, this is an excerpt from installer.c for the version of ps4debug GiantPluto released for 6.72:
Code:
void patch_kernel() {
    cpu_disable_wp();

    uint64_t kernbase = get_kbase();

    // patch memcpy first
    *(uint8_t *)(kernbase + 0x003C15BD) = 0xEB;

    // patch sceSblACMgrIsAllowedSystemLevelDebugging
    memcpy((void *)(kernbase + 0x00233BD0), "\x48\xC7\xC0\x01\x00\x00\x00\xC3", 8);

    // patch sceSblACMgrHasMmapSelfCapability
    memcpy((void *)(kernbase + 0x00233C40), "\x48\xC7\xC0\x01\x00\x00\x00\xC3", 8);

    // patch sceSblACMgrIsAllowedToMmapSelf
    memcpy((void *)(kernbase + 0x00233C50), "\x48\xC7\xC0\x01\x00\x00\x00\xC3", 8);

    // disable sysdump_perform_dump_on_fatal_trap
    // will continue execution and give more information on crash, such as rip
    *(uint8_t *)(kernbase + 0x00784120) = 0xC3;

    // self patches
    memcpy((void *)(kernbase + 0x000AD2E4), "\x31\xC0\x90\x90\x90", 5);

    // patch vm_map_protect check
    memcpy((void *)(kernbase + 0x00451DB8), "\x90\x90\x90\x90\x90\x90", 6);

    // patch ptrace
    *(uint8_t *)(kernbase + 0x0010F879) = 0xEB;
    memcpy((void *)(kernbase + 0x10FD22), "\xE9\xE2\x02\x00\x00", 5);

    // disable ASLR
    *(uint8_t *)(kernbase + 0x003CECE1) = 0xEB;

    // patch kmem_alloc
    *(uint8_t *)(kernbase + 0x002507F5) = VM_PROT_ALL;
    *(uint8_t *)(kernbase + 0x00250803) = VM_PROT_ALL;

    cpu_enable_wp();
}
@kevambert As you can see, there is a second ptrace patch. I'm not sure what other patches are relevant, as I'm not sure if we need full debug. I tried to find info about the sceSbl functions but they're undocumented? I did find a set for vita, they don't have these functions though.

I'm specifically wondering about patch vm_map_protect, self patches, and patch kmem_alloc. I lack enough coding skills to make this work with libps4, but I think I can swap ksdk by giantpluto and make it work. I'll be making an attempt in about an hour here.

Well, I have it compiling with some warnings, a little scared to try it on my PS4 lol but I'll give it a go here soon. Doubtful but hopeful.

OK, tested it, it didn't crash my PS4, I got an out of memory error when the payload was sent, but no prompts to start gta v. Maybe the payload is too large? It is most likely not packed properly as I have no idea how to write a makefile, there was also a warning from crt0.s in the gtaPayload directory. Will have to look closer with mira, although I'm not 100% sure these patches don't interfere with mira's patches.

After re-testing a couple times, I'm fairly sure the payload is just too large. If anyone wants to have a look lmk.
 
@Mustafa0436 Don't let it get you down, we just need to study the code and figure out what needs to be done. There's a lot to figure out, one issue I'm wondering about is does mira interfere with mod menus, or would they perform normally under mira? I need to debug, but it will be a challenge without mira, is there another way?
 
@Mustafa0436 Great News! I grabbed all of the kernel patch code from ps4debug, I can now launch, it detects 1.27, I get mods loaded, enjoy, BUT it is stuck at 90% loading. Nothing is frozen, I'll have to look further with mira in a bit.

It's very odd, system isn't crashed or unstable or anything, game is just setting at 90% loading perpetually. I'll try with a new game here in a bit after I backup my save. I'm just ultra hyped to see it working!

Also, I used 2much4u's PS4-GTAV-Menu-Base as a base.

@kevambert @Andrew Marques I've never used one of these trainers, has anyone ever seen one behave like this? I won't have time to test with mira for a couple hours. I'm wondering if it's because I used ps4trainer and it autosaved at some point?

OK, whew! That took longer than expected, we have a working menu on 6.72/1.27! What's the preferred file host here? I'm not sure if I can even post links, also not sure if this would be a release worthy thing?
 
Status
Not open for further replies.
Back
Top