Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter PSXHAX       Start date Sep 9, 2017 at 2:19 AM       3      
Status
Not open for further replies.
Since the NID for sceAppInstUtilAppInstallPkg was revealed followed by some PS4 NIDs added to Hashcat, PlayStation 4 developer ZiL0G80 (aka Z80 or @oneman123) documented several more PS4 NIDs useful for developers in creating PS4 RTE's using libmdbg_syscore. :ninja:

Those interested in researching PlayStation 4 System Software function names can check them out below along with the related Tweets from his Twitter feed!

From Pastebin.com:
Code:
<!-- by Z80 -->
<Entry obf="EIZbVQs381s" lib="libKernel" sym="sceSblRcMgrIsIntdevForSettingsNative???"/>
<Entry obf="GDzBPefugvU" lib="libKernel" sym="sceKernelEventLogOpen"/>
<Entry obf="Z7NoR9m5SVo" lib="libKernel" sym="sceKernelIccGetCpuInfoBit"/>
<Entry obf="RP9ImTNDfP8" lib="libKernel" sym="sceKernelIccSetCpuInfoBit"/>
<Entry obf="xXj0rnNUYIk" lib="libKernel" sym="sceKernelIccNvsFlush"/>
<Entry obf="qWoGe2XqwVw" lib="libKernel" sym="sceKernelIccIndicatorBootDone"/>
<Entry obf="gQXxz1IoL5U" lib="libKernel" sym="sceKernelIccIndicatorShutdown"/>
<Entry obf="tCQzG0iC8zw" lib="libKernel" sym="sceKernelIccGetPowerNumberOfBootShutdown"/>
<Entry obf="PA6ZwQM5tNQ" lib="libKernel" sym="sceKernelIccGetPowerOperatingTime"/>

<Entry obf="6EVXSBewBXs" lib="libulpcommon" sym="scePktMgrIsRecvDataReady"/>
<Entry obf="+235EcrmaJc" lib="libulpcommon" sym="scePktMgrRecvDeciPacket"/>
<Entry obf="ISoryBJKvl4" lib="libulpcommon" sym="sceUlpMgrInit"/>
<Entry obf="pBiaquuxxw8" lib="libulpcommon" sym="sceUlpMgrReqOpen"/>
<Entry obf="K8SZy3MsiaY" lib="libulpcommon" sym="sceUlpMgrReqClose"/>
<Entry obf="OvsK57sLpQE" lib="libulpcommon" sym="sceUlpMgrRegisterProtocol"/>
<Entry obf="-4xfEZanOFg" lib="libulpcommon" sym="sceUlpMgrSaveConnectionInfoList"/>
<Entry obf="4M7UYhGTlqk" lib="libulpcommon" sym="sceUlpMgrUnregisterProtocol"/>
<Entry obf="WBeIG8BMvvQ" lib="libulpcommon" sym="delProtocolInfoList"/>

<Entry obf="Rf0XMVR7xPw" lib="libSceRemoteplay" sym="sceRemoteplaySetProhibition"/>

<!-- all 73 27 mine + 31 already here + others missing -->
<Entry obf="FAqD7n94bYY" lib="libmdbg_syscore" sym="module_start???"/>
<Entry obf="qSPximdlUuY" lib="libmdbg_syscore" sym="sceDebugGetApplicationIdByTitleId"/>
<Entry obf="RD3shWR4Vok" lib="libmdbg_syscore" sym="sceDebugGetApplicationInfo"/>
<Entry obf="tdpqr1lzbOw" lib="libmdbg_syscore" sym="sceDebugGetApplicationList"/>
<Entry obf="njVl0vsj1Co" lib="libmdbg_syscore" sym="sceDebugGetEventList"/>
<Entry obf="ZvSXUtAtj2M" lib="libmdbg_syscore" sym="sceDebugGetFiberInfo"/>
<Entry obf="y+o5ZkkHMik" lib="libmdbg_syscore" sym="sceDebugGetMonoVMInfo"/>
<Entry obf="dvp-mPrfQfk" lib="libmdbg_syscore" sym="sceDebugGetMonoVMList"/>
<Entry obf="+z2ejY-8WLw" lib="libmdbg_syscore" sym="sceDebugGetSyncExclusiveWaiterList"/>
<Entry obf="uqwYatrm6s8" lib="libmdbg_syscore" sym="sceDebugGetSyncObjectData"/>
<Entry obf="7VxUuGJJD5M" lib="libmdbg_syscore" sym="sceDebugGetSyncObjectList"/>
<Entry obf="5tAHSWQfomw" lib="libmdbg_syscore" sym="sceDebugGetSyncWaiterList"/>
<Entry obf="pdbdz2ccLfo" lib="libmdbg_syscore" sym="sceDebugGetUltCondvarInfo"/>
<Entry obf="22C8vFKX2u4" lib="libmdbg_syscore" sym="sceDebugGetUltInfo"/>
<Entry obf="FcVRhZfdD6M" lib="libmdbg_syscore" sym="sceDebugGetUltMutexInfo"/>
<Entry obf="LXYJ384Fq2E" lib="libmdbg_syscore" sym="sceDebugGetUltQueueDataResourcePoolInfo"/>
<Entry obf="25PEYXEnaJ0" lib="libmdbg_syscore" sym="sceDebugGetUltQueueInfo"/>
<Entry obf="cPtUwd8Dtgk" lib="libmdbg_syscore" sym="sceDebugGetUltRuntimeInfo"/>
<Entry obf="evqHA+pYo+c" lib="libmdbg_syscore" sym="sceDebugGetUltRwlockInfo"/>
<Entry obf="KaOJiDrykP8" lib="libmdbg_syscore" sym="sceDebugGetUltSemaphoreInfo"/>
<Entry obf="-Ruc8RY6MSo" lib="libmdbg_syscore" sym="sceDebugGetUltWaitingQueueResourcePoolInfo"/>
<Entry obf="yqIOrJbpTu4" lib="libmdbg_syscore" sym="sceDebugSpawnApplication"/>
<Entry obf="nITiXSwEc6w" lib="libmdbg_syscore" sym="sceDebugSuspendApplication"/>
<Entry obf="8XiF7OmlpcM" lib="libmdbg_syscore" sym="sceDebugResumeApplication"/>
<Entry obf="jKGq8JG6K1Q" lib="libmdbg_syscore" sym="sceDebugKillApplication"/>
<Entry obf="EY8cOKuR7Bc" lib="libmdbg_syscore" sym="sceDebugTriggerCoredump"/>
<Entry obf="jkV8zFTpxIk" lib="libmdbg_syscore" sym="sceDebugCancelCoredump"/>
From Pastebin.com:
Code:
<Entry obf="FAqD7n94bYY" lib="libmdbg_syscore" sym="module_start???"/>
<Entry obf="RkNs5WxpMzg" lib="libmdbg_syscore" sym="sceDebugAttachProcess"/>
<Entry obf="jkV8zFTpxIk" lib="libmdbg_syscore" sym="sceDebugCancelCoredump"/>
<Entry obf="FF2LpsJxclY" lib="libmdbg_syscore" sym="sceDebugClearStepThread"/>
<Entry obf="a8xfs-qh9WA" lib="libmdbg_syscore" sym="sceDebugCreateScratchDataArea"/>
<Entry obf="FS33uqKkEJA" lib="libmdbg_syscore" sym="sceDebugCreateScratchExecutableArea"/>
<Entry obf="rB1RFXt+i-Y" lib="libmdbg_syscore" sym="sceDebugDetachProcess"/>
<Entry obf="qSPximdlUuY" lib="libmdbg_syscore" sym="sceDebugGetApplicationIdByTitleId"/>
<Entry obf="RD3shWR4Vok" lib="libmdbg_syscore" sym="sceDebugGetApplicationInfo"/>
<Entry obf="tdpqr1lzbOw" lib="libmdbg_syscore" sym="sceDebugGetApplicationList"/>
<Entry obf="njVl0vsj1Co" lib="libmdbg_syscore" sym="sceDebugGetEventList"/>
<Entry obf="ZvSXUtAtj2M" lib="libmdbg_syscore" sym="sceDebugGetFiberInfo"/>
<Entry obf="+cSD1hGmg+0" lib="libmdbg_syscore" sym="sceDebugGetModuleInfo"/>
<Entry obf="HaI8g79+OOA" lib="libmdbg_syscore" sym="sceDebugGetModuleList"/>
<Entry obf="18ylu1q-Us8" lib="libmdbg_syscore" sym="sceDebugGetModuleMetaData"/>
<Entry obf="y+o5ZkkHMik" lib="libmdbg_syscore" sym="sceDebugGetMonoVMInfo"/>
<Entry obf="dvp-mPrfQfk" lib="libmdbg_syscore" sym="sceDebugGetMonoVMList"/>
<Entry obf="Zi+rAm6czUg" lib="libmdbg_syscore" sym="sceDebugGetProcessEventCntlFlag"/>
<Entry obf="kaqTf5y2P0E" lib="libmdbg_syscore" sym="sceDebugGetProcessInfo"/>
<Entry obf="OUYYl+QEzZc" lib="libmdbg_syscore" sym="sceDebugGetProcessList"/>
<Entry obf="+z2ejY-8WLw" lib="libmdbg_syscore" sym="sceDebugGetSyncExclusiveWaiterList"/>
<Entry obf="uqwYatrm6s8" lib="libmdbg_syscore" sym="sceDebugGetSyncObjectData"/>
<Entry obf="7VxUuGJJD5M" lib="libmdbg_syscore" sym="sceDebugGetSyncObjectList"/>
<Entry obf="5tAHSWQfomw" lib="libmdbg_syscore" sym="sceDebugGetSyncWaiterList"/>
<Entry obf="6RdLdsNW3dY" lib="libmdbg_syscore" sym="sceDebugGetThreadInfo"/>
<Entry obf="MilSVS0uHvA" lib="libmdbg_syscore" sym="sceDebugGetThreadList"/>
<Entry obf="pdbdz2ccLfo" lib="libmdbg_syscore" sym="sceDebugGetUltCondvarInfo"/>
<Entry obf="22C8vFKX2u4" lib="libmdbg_syscore" sym="sceDebugGetUltInfo"/>
<Entry obf="FcVRhZfdD6M" lib="libmdbg_syscore" sym="sceDebugGetUltMutexInfo"/>
<Entry obf="LXYJ384Fq2E" lib="libmdbg_syscore" sym="sceDebugGetUltQueueDataResourcePoolInfo"/>
<Entry obf="25PEYXEnaJ0" lib="libmdbg_syscore" sym="sceDebugGetUltQueueInfo"/>
<Entry obf="cPtUwd8Dtgk" lib="libmdbg_syscore" sym="sceDebugGetUltRuntimeInfo"/>
<Entry obf="evqHA+pYo+c" lib="libmdbg_syscore" sym="sceDebugGetUltRwlockInfo"/>
<Entry obf="KaOJiDrykP8" lib="libmdbg_syscore" sym="sceDebugGetUltSemaphoreInfo"/>
<Entry obf="-Ruc8RY6MSo" lib="libmdbg_syscore" sym="sceDebugGetUltWaitingQueueResourcePoolInfo"/>
<Entry obf="6+bfgq18W84" lib="libmdbg_syscore" sym="sceDebugInit"/>
<Entry obf="jKGq8JG6K1Q" lib="libmdbg_syscore" sym="sceDebugKillApplication"/>
<Entry obf="H-WaabqfU-I" lib="libmdbg_syscore" sym="sceDebugKillProcess"/>
<Entry obf="HxGTYmj3LJ8" lib="libmdbg_syscore" sym="sceDebugNoStopChildProcesses"/>
<Entry obf="HGDKKtTRpog" lib="libmdbg_syscore" sym="sceDebugNoStopOnDLLoad"/>
<Entry obf="2ezc3rKyIqM" lib="libmdbg_syscore" sym="sceDebugProcessSpawn"/>
<Entry obf="HB57CbhjcLw" lib="libmdbg_syscore" sym="sceDebugReadEvent"/>
<Entry obf="QoMN8tdi8K0" lib="libmdbg_syscore" sym="sceDebugReadProcessMemory"/>
<Entry obf="ARowrgmuN94" lib="libmdbg_syscore" sym="sceDebugReadThreadRegister"/>
<Entry obf="8XiF7OmlpcM" lib="libmdbg_syscore" sym="sceDebugResumeApplication"/>
<Entry obf="LDUnJvas7aA" lib="libmdbg_syscore" sym="sceDebugResumeProcess"/>
<Entry obf="qDIcu3MnDOk" lib="libmdbg_syscore" sym="sceDebugResumeThread"/>
<Entry obf="--I4Ml0ADxQ" lib="libmdbg_syscore" sym="sceDebugSetProcessEventCntlFlag"/>
<Entry obf="tRdLlsyNo9g" lib="libmdbg_syscore" sym="sceDebugSetStepThread"/>
<Entry obf="yqIOrJbpTu4" lib="libmdbg_syscore" sym="sceDebugSpawnApplication"/>
<Entry obf="5n-wRxhsTXU" lib="libmdbg_syscore" sym="sceDebugStopChildProcesses"/>
<Entry obf="fiVAYOf2PZE" lib="libmdbg_syscore" sym="sceDebugStopOnDLLoad"/>
<Entry obf="nITiXSwEc6w" lib="libmdbg_syscore" sym="sceDebugSuspendApplication"/>
<Entry obf="nzqN4RdflwM" lib="libmdbg_syscore" sym="sceDebugSuspendProcess"/>
<Entry obf="iAMvRxEvs5o" lib="libmdbg_syscore" sym="sceDebugSuspendThread"/>
<Entry obf="EY8cOKuR7Bc" lib="libmdbg_syscore" sym="sceDebugTriggerCoredump"/>
<Entry obf="QTpgnwUVRWw" lib="libmdbg_syscore" sym="sceDebugWriteProcessMemory"/>
<Entry obf="tHeVbJMcEv8" lib="libmdbg_syscore" sym="sceDebugWriteThreadRegister"/>
From Pastebin.com:
Code:
API call "sceDebugAttachProcess(pid)"%*s
API call "sceDebugDetachProcess(process->pid)"%*s
API call "sceDebugCancelCoredump(pid)"%*s
API call "sceDebugCreateScratchDataArea(pid, size, &addr)"%*s
API call "sceDebugCreateScratchExecutableArea(pid, size, &addr)"%*s
API call "sceDebugDestroyScratchDataArea(pid, addr, page->size)"%*s
API call "sceDebugDestroyScratchExecutableArea(pid, addr, page->size)"%*s
API call "sceDebugGetApplicationIdByTitleId(titleId, &appid)"%*s
API call "sceDebugGetApplicationInfo(appIds[i], &info)"%*s
API call "sceDebugGetApplicationList(appIds, maxAppIds, &actualAppIds)"%*s
API call "sceDebugGetEventList(process->pid, sid, (SceKernelEvent*)data_ptr, buffer_size / sizeof(SceKernelEvent), &actual_events)"%*s
API call "sceDebugGetFiberInfo(fiberId, process->pid, &finfo)"%*s
API call "sceDebugGetModuleInfo(pid, mid, &info)"%*s
API call "sceDebugGetModuleList(pid, s_mids, s_num_mids, &actual_mids)"%*s
API call "sceDebugGetModuleMetaData(pid, mid, meta_data, meta_data_size, &actual_meta_data)"%*s
API call "sceDebugGetMonoVMInfo(pids[i], &info)"%*s
API call "sceDebugGetMonoVMList(s_pids, s_num_pids, &actual_pids)"%*s
API call "sceDebugGetProcessInfo(pid, &procInfo)"%*s
API call "sceDebugGetProcessList(s_pids, s_num_pids, &actual_pids)"%*s
API call "sceDebugGetSyncExclusiveWaiterList(process->pid, sid, (SceDeciTid*) data_ptr, buffer_size / sizeof(SceDeciTid), &actual_waiters)"%*s
API call "sceDebugGetSyncObjectData(process->pid, sid, &sinfo)"%*s
API call "sceDebugGetSyncObjectList(process->pid, s_sids, s_num_sids, &actual_sids)"%*s
API call "sceDebugGetSyncWaiterList(process->pid, sid, (SceDeciTid*) data_ptr, buffer_size / sizeof(SceDeciTid), &actual_waiters)"%*s
API call "sceDebugGetThreadInfo(pid, tid, &info)"%*s
API call "sceDebugGetThreadList(pid, s_tids, s_num_tids, &actual_tids)"%*s
API call "sceDebugGetUltCondvarInfo(process->pid, uid, &info.condvar)"%*s
API call "sceDebugGetUltInfo(ultId, process->pid, &info)"%*s
API call "sceDebugGetUltMutexInfo(process->pid, uid, &info.mutex)"%*s
API call "sceDebugGetUltQueueDataResourcePoolInfo(process->pid, uid, &info.qdrp)"%*s
API call "sceDebugGetUltQueueInfo(process->pid, uid, &info.queue)"%*s
API call "sceDebugGetUltRuntimeInfo(runtimeId, process->pid, &rinfo)"%*s
API call "sceDebugGetUltRwlockInfo(process->pid, uid, &info.rwlock)"%*s
API call "sceDebugGetUltSemaphoreInfo(process->pid, uid, &info.sema)"%*s
API call "sceDebugGetUltWaitingQueueResourcePoolInfo(process->pid, uid, &info.wqrp)"%*s
API call "sceDebugKillApplication(context, appid)"%*s
API call "sceDebugKillProcess(pid)"%*s
API call "sceDebugNoStopChildProcesses(process->pid)"%*s
API call "sceDebugNoStopOnDLLoad(process->pid)"%*s
API call "sceDebugProcessSpawn(context, argv, flags, stack_size, workdir)"%*s
API call "sceDebugReadThreadRegister(tid, reg, &reg_value)"%*s
API call "sceDebugResumeApplication(context, appid)"%*s
API call "sceDebugResumeProcess(process->pid, 0)"%*s
API call "sceDebugSpawnApplication(context, titleId, argv, flags)"%*s
API call "sceDebugStopChildProcesses(process->pid)"%*s
API call "sceDebugStopOnDLLoad(process->pid)"%*s
API call "sceDebugSuspendApplication(context, appid)"%*s
API call "sceDebugSuspendProcess(process->pid)"%*s
API call "sceDebugTriggerCoredump(pid, corefile_type, pathname)"%*s
API call "sceDebugWriteProcessMemory(process->pid, address, size, buffer, &size_written)"%*s
API call "sceDebugWriteThreadRegister(tid, reg, &values[i])"%*s

NIDs Explained

What are they:


Function names, variables, etc, but obfuscated. Known as (N)ame(ID)entifiers.

How to get a nid from:

PSP


sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32

Warning: Some nids have to be manually guessed! From 3.70 at least. there is no solution to find the suffix (yet)

PSVita

sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32

Warning: Some nids have to be manually guessed! there is no solution to find the suffix (yet)
Warning2: nids like module_start, etc(NONAME) have suffix c1b886af5c31846467e7ba5e2cffd64a as key

PS3

sha1 hash of string of function name plus binary key 6759659904250490566427499489741A in hex,
grab first 4 bytes, endian swap 32

Warning: nids like module_start, etc (NONAME) have suffix bc5eba9e042504905b64274994d9c41f as binary key

PS4

sha1 hash of string of function name or variable plus binary key 518D64A635DED8C1E6B039B1C3E55230
grab first 8 bytes?, endian swap 64? and finally convert to sony's special base64
(i believe replace - with = for charset)

Bruteforcing:

Using custom hashcat.

Algos:
  • PS3, Python
    Code:
    import sys, os
    import struct
    from hashlib import sha1
    import hashlib
    from base64 import b64encode as base64enc
    from binascii import unhexlify as uhx
    
    #ref https://github.com/SocraticBliss/ps4_name2nid_plugin
    
    NEW_NIDS = {}
    AEROLIB  = 'nids.txt'
    NAMES   = 'ps3_names.txt'
    
    def name2nid(name):
        symbol = sha1(name.encode() + uhx(b'6759659904250490566427499489741A')).digest()
        nid = struct.unpack('<I', symbol[:4])[0]
        NEW_NIDS[nid]=name
    
    def save_nids(NIDS):
        csvFile=open(AEROLIB,"w")
        for nid, name in sorted(NIDS.items(), key=lambda x: x[1]):
            csvFile.writelines('0x%08X %s\n' % (nid, name))
        csvFile.close()
    
    
    
    f = open(NAMES,"r")
    for line in f.readlines():
        line = line.strip()
        name2nid(line)
    
    f.close()
    
    save_nids(NEW_NIDS)
  • PS4, Python
    Code:
    import sys, os
    import struct
    #from hashlib import sha1
    import hashlib
    from base64 import b64encode as base64enc
    from binascii import unhexlify as uhx
    
    #ref https://github.com/SocraticBliss/ps4_name2nid_plugin
    
    NEW_NIDS = {}
    AEROLIB  = 'aerolib.csv'
    NAMES   = 'ps4_names.txt'
    
    def name2nid(name):
        symbol = hashlib.sha1(name.encode() + uhx('518D64A635DED8C1E6B039B1C3E55230')).digest()
        id     = struct.unpack('<Q', symbol[:8])[0]
        nid    = base64enc(uhx('%016x' % id), b'+-').rstrip(b'=')
        NEW_NIDS[nid]=name
    
    def save_nids(NIDS):
        csvFile=open(AEROLIB,"w")
        for nid, name in sorted(NIDS.items(), key=lambda x: x[1]):
            csvFile.writelines('%s %s\n' % (str(nid,'utf-8'), name))
        csvFile.close()
    
    
    
    f = open(NAMES,"r")
    for line in f.readlines():
        line = line.strip()
        name2nid(line)
    
    f.close()
    
    save_nids(NEW_NIDS)
Good links:
Thanks to @SSShowmik for the heads-up in the PSXHAX Shoutbox and @raedoob on PSXHAX Discord earlier today! <3
More PlayStation 4 NIDs Documented for PS4 Devs by ZiL0G80 (Z80).jpg
 

Comments

Status
Not open for further replies.
Back
Top