Category PS4 CFW and Hacks       Thread starter PSXHAX       Start date May 31, 2020 at 10:51 PM       14,133       39            
As mentioned previously, following Fail0verflow's Documentation, the PS4 NoBD Updating Method, his PS4 Updater Toolkit release and the PS4 RL78 Syscon implementation PlayStation 4 scene developer @theorywrong shared via Twitter a new post on his blog at TheoryWrong.me detailing his research with the PS4 Update Tool known as OrbisSWU discussing PS4 NoBD, downgrading and how updates work. :geek:

:lovewins: Feel free to support his continued work on his Patreon Page, and here's a rough translation via Google of his Latest Blog Article for those feeling a bit techy today: OrbisSWU, the PS4 update tool.

Hello !

Here is finally the 1st article for the PS4 in relation to my work!

:alert: Note: Some points may be vague, it is not easy to understand a complex system like that, but I will try to transcribe the exact operation.

Today we are going to talk about the “OrbisSWU” tool which manages the PS4 update system.

OrbisSWU The PS4 Update Tool Developer Research by TheoryWrong 2.jpg

Controlled PS4 update

OrbisSWU is a special application stored in all PUPs on the PS4. It allows updating the firmware of the PS4. Kernel, Application, Blueray Reader and WiFi / Bluetooth Chipset. Everything goes through him.

It all starts in the SceShellUI, when your PS4 requests to do an update, it will start by recovering it in a specific folder. Luckily, SceShellUI is an application that actually loads a C # coded .exe (yes, yes) based on Mono. This library is called app.exe.sprx.

It will suffice to recover this library from the FTP of xVortex (which has the particularity of decrypting executables from PS4 to ELF). Then extract the Windows executable.

OrbisSWU The PS4 Update Tool Developer Research by TheoryWrong 3.png

Hexadecimal view of the PS4 library containing the executable

OrbisSWU The PS4 Update Tool Developer Research by TheoryWrong 4.png

DoUpdateJob.cs in app.exe.sprx

The SceShellUI will copy the PUP into space /update/PS4UPDATE.PUP and extract the orbis_swu.elf. Then, a restart in update mode will be initiated.

During startup, the mini-syscore (process 1 after loading the kernel) will check in which mode it should be loaded.

OrbisSWU The PS4 Update Tool Developer Research by TheoryWrong 5.png

The mini-syscore checks which mode it should load when starting the console, here the "update" mode.

Once the update mode is initiated, the executable orbis_swu.self previously extracted will be executed by the console by means of the sc_spawn function.

OrbisSWU The PS4 Update Tool Developer Research by TheoryWrong 6.png

Launch of orbis_swu.self from mini-syscore using update mode

During its execution, the PUP will be fully decrypted. PUPs are update files made up of “blobs”, encrypted parts, sometimes compressed which will be decrypted one by one by the SAMU (The security processor of the PlayStation 4).

OrbisSWU The PS4 Update Tool Developer Research by TheoryWrong 7.png

A list of blobs for Firmware 5.05, here the signature is in md5 and corresponds to the encrypted version. The content of the files is decrypted.

The blobs between them form different types of files, here is a (small) list of files that we can find inside:

1, ???, / dev / sflash0s0x32b
2, ???, / dev / sflash0s0x33
3, ???, / dev / sflash0s0x38
3, ???, wlan_firmware.bin
4, ???, / dev / sflash0s1. cryptx2b
5, secure_modules.bin, /dev/sflash0s1.cryptx3b
6, system.img, /dev/da0x4b.crypt
7, ???, / dev / da0x2
8, eap.img, /dev/da0x3.crypt
9, recovery .img, /dev/da0x0.crypt
10, /dev/sflash0s1.cryptx40
11, /dev/da0x1.crypt
11, preinst.img
12, system_ex.img, /dev/da0x5b.crypt
13, / dev / sflash0s0x32b
14, / dev / sflash0s0x33

To decrypt the PUP, the PS4 will use a command list (ioctl) for the "device" /dev/pup_update0:

Function name Order ID
Decrypt PUP Header 0xC0184401
Verify Segment (1) 0xC0184402
Verify Segment (2) 0xC0184403
Verify BLS Header 0xC010440D
Decrypt Segment 0xC0184404
Decrypt Segment Block 0xC0284405
Ioctl command lists for decrypting the update

It should be noted that the SAMU (Security Coprocessor) refuses to decrypt PUPs of version lower than the current version, it is one of the security mechanisms which detects attempts to downgrade.

Once the songs have been decrypted, Orbis_SWU will use specialized functions to update the different parts of the console, such as the BlueRay player, the Wifi / Bluetooth chipset, etc.

OrbisSWU The PS4 Update Tool Developer Research by TheoryWrong 8.png

A small part of the functions of orbis_swu.self

Launching the update outside of Update Mode

It is possible to launch the update utility without putting the console in update mode, it can still update the components of the PS4. To do so, you need a Kernel exploit, the H (omebrew) EN (abler), and the make_fself.py of Flat_Z

The idea is that through a Homebrew "Hosts", to execute a modified orbis_swu.self which will do what we want. Just use the function
Code:
sceSystemServiceLoadExec(char* path, void* unk);
The modification of the orbis_swu will have to apply 2 patches to make it usable with a host application.
  • Modifying the video output: orbis_swu is normally used in a context where SceShellUI does not exist. It will now be necessary to indicate to him that he must take the exit of the Applications.
  • Give it permissions: Like any system process, orbis_swu must be able to access certain things. It will therefore be necessary to give it special permissions and to make it escape from its sandbox through a system call. It is also necessary to patch the kernel to be able to have access to the sflash in writing.
OrbisSWU The PS4 Update Tool Developer Research by TheoryWrong 9.png

Modification of the "start" to execute a syscall (here 67) which will simply delete the sandbox from the application.

OrbisSWU The PS4 Update Tool Developer Research by TheoryWrong 10.png

Here, the ESI register (Argument 2) must be set to 0 to set it to MAIN

Once this is done, your homebrew is ready to use the orbis_swu to perform updates! Now is when things start to get interesting!

OrbisSWU The PS4 Update Tool Developer Research by TheoryWrong 11.jpg

The orbis_swu.self launched without the presence of an update.

Case 1: Update a PS4 without Blu-ray player

The first possible use of this is to bring in the update of consoles without Blu-ray player possible.
Code:
BdWriter::checkDeviceExist -1PupReader::checkSegmentUpdate initialize failed: 0x801809a8 PupReader::Estimate::2019 checkSegmentUpdate failed: 0x801809a8 [ERROR]sceUpdaterVerifySign() failed : 801809a8
Here we can see that the update is impossible because the function
Code:
BdWriter::checkDeviceExistcannot
find the Blu-ray player. It would be enough to modify this function to launch an update to a higher firmware.

OrbisSWU The PS4 Update Tool Developer Research by TheoryWrong 12.png

The location of the error display

The patch will be very simple, it will suffice to modify the instruction to return the error with a
Code:
xor ebx, ebx
instead of a
Code:
mov eax, ebx
OrbisSWU The PS4 Update Tool Developer Research by TheoryWrong 13.png

The instruction to modify

Tadaaaa! PS4 updates even without Blu-ray player 😀

:alert: WARNING ! Updating your PS4 without a Blu-ray player is not without risk without a hard drive backup, you will no longer be able to use the restoration tools (Soft Brick). It will always be possible to add a Blu-ray player to unblock the situation.

OrbisSWU The PS4 Update Tool Developer Research by TheoryWrong 14.jpg

PS4 update without being in update mode

Case 2: Downgrade attempt

Even if it may seem fanciful to try to downgrade in the simplest way possible, it is still necessary that this process recalls the downgrade of the PSVita Modoru by TheFlow which runs its update module to downgrade with a modified version.

Here the idea is simple, if the PS4 cannot decrypt blobs of PUP lower than its version, we will decrypt them for him. The attack is simple, we will hook (hook) the syscall dedicated to ioctl and intercept the calls made to the "device" of decryption then:
  • Make an MD5 signature of the encrypted version
  • Find the decrypted version in a USB key
  • Return the decrypted version without using the SAMU
OrbisSWU The PS4 Update Tool Developer Research by TheoryWrong 15.png

"Ioctl" syscall hook is hooking useful functions.

Once this was in place, I was surprised that it worked! The PS4 has accepted the update!

OrbisSWU The PS4 Update Tool Developer Research by TheoryWrong 16.jpgOrbisSWU The PS4 Update Tool Developer Research by TheoryWrong 17.jpg

However, an error at the Switch Bank level. Which cancels the update and switches back to the current version (The backup bank)

OrbisSWU The PS4 Update Tool Developer Research by TheoryWrong 18.jpg

Error 0x8018085F (SCE_UPDATER_CORE_ERROR_PUP_US_NEEDAUTH)

After analysis of the SFLASH, it is possible to notice that values have all the same changed, such as the version of this one.

I continue my research to know how to correct the switch bank and why not have the possibility of Downgrade ^^

I hope that the article will have you more, I continue my work. Ciao!

Source:
OrbisSWU The PS4 Update Tool Developer Research by TheoryWrong.jpg
 
:idea: Reminder: Those without a Verified Badge yet on Discord to access the private areas we recommend Joining Us! Why? The waiting process takes a week for new Members, and there's a lot we're unable to share on public forums including the latest PS4 PKG Games. 🏴‍☠️

Comments

DanTheMan1997

Member
Contributor
Verified
I hope this leads to more backports or more english backports
 
:idea: Reminder: Those without a Verified Badge yet on Discord to access the private areas we recommend Joining Us! Why? The waiting process takes a week for new Members, and there's a lot we're unable to share on public forums including the latest PS4 PKG Games. 🏴‍☠️

MacPCFan

Member
Contributor
Verified
Seems like there will be users who have 5.05 who will be able to update to patched versions of higher firmwares and maintain kernel access similar to the PS3 users. That may come before kernel hacks for higher firmwares are released. Anything is possible though.
 

Amanuel

Member
Contributor
Verified
theorywrong recent blog comment on June 3, 2020 at 2:10 pm:

Hello ! For the moment we are in the process of seeing if already the downgrade is possible from a kernel exploit. Nevertheless it must be remembered that it is necessary to bypass a 1st protection, namely given pre-decrypted data to launch the downgrade. Unfortunately I do not think that a downgrade from a higher firmware is possible during its 2 or 3 years without the keys of the SAMU.
 

juansbeck

juansbeck and hybridcomputers
Developer
Senior Member
Contributor
Verified
a possible solution might be in, rl78 tests it and returns the flash Error 0x8018085F @Amanuel, with this SAMU method you already receive everything decoded, the only error is in xflash that must be updated in the process and at the end it marks an error of comparison bytes.
 
Recent Articles
Sony Introduces PlayStation Indies for PS5 and PS4 with Montage Video
Proceeding the Indie PS5 game Soulborn Alpha Trailer, Sony introduced their PlayStation Indies initiative featuring nine captivating new independent games including Worms Rumble (PS5 / PS4), Haven...
Cyberpunk 2077 4K Footage and New NBA 2K21 Zion PS5 Trailer Video
Since the last batch of PS5 Trailers some 4K gameplay footage of the upcoming RPG Cyberpunk 2077 by CD Projekt Red surfaced with a 2021 tentative release scheduled alongside a new NBA 2K21 PS5...
CTurt on FreeDVDBoot for PS3 / PS4 and Blu-ray BD-J Attacks
Long ago we saw the Original PS4 Jailbreak for 1.76 FW via BadIRET Exploitation (Github Articles), and following his recent FreeDVDBoot PS2 DVD Player Exploit PlayStation 4 developer @CTurt shared...
PS4 Package (PKG) Manager Homebrew Application by Pakee
PlayStation 4 homebrew developer @pakee of Pakee.xyz recently Contacted Us with news of his PS4 Package (PKG) Manager Homebrew Application public release stating: "I made software to manage...
Top