Category PS4 CFW and Hacks       Thread starter PSXHAX       Start date Apr 10, 2019 at 7:51 AM       4,568       10            
Following his previous updates, developer @CMTFrosty (Twitter) made available both a Call of Duty: Advanced Warfare MenuBase 1.23 with source code alongside a video demonstration from his YouTube Channel of it in action for those with a jailbroken PS4 5.05 console.

He credits golden for helping with a Ghosts fix stating that a Ghosts menubase is also coming soon! :ninja:

From the AdvancedWarfare_MenuBase

MenuBase for Advanced Warfare 1.23 for PS4 5.05 Compile with make command on ubuntu. Inject .elf with elf loader (JKPatch)

[PS4 5.05/AW 1.23] Menu Base + Source
Also below are some PS4 WW2 1.11 Huds for those interested, from
// all found by me, John - with some help from

#pragma pack(push, 1)
struct HudElement {
   char padding_0[0x04]; // 0x0
   uint32_t font; // 0x4
   uint32_t alignOrg; // 0x8
   uint32_t alignScreen; // 0xc
   float x; // 10
   float y; // 14
   float z; // 18
   uint32_t type; // 0x1c
   float fontScale; // 0x20
   char padding_1[0x0C]; // 0x24
   union {
       uint32_t argb;
       struct { uint8_t a, r, g, b; };
   } argb; // 0x30
   char padding_2[0x10]; // 0x34
   uint32_t width; // 0x44
   uint32_t height; // 0x48
   uint32_t material; // 0x4c
   char padding_3[0x10]; // 0x50
   uint32_t fromWidth; // 0x60
   uint32_t fromHeight; // 0x64
   uint32_t scaleStartTime; // 0x68
   uint32_t scaleTime; // 0x6c
   float fromX; // 0x70
   float fromY; // 0x74
   uint32_t fromAlignOrg; // 0x78
   uint32_t fromAlignScreen; // 0x7c
   uint32_t moveStartTime; // 0x80
   uint32_t moveTime; // 0x84
   uint32_t time; // 0x88
   uint32_t duration; // 0x8c
   float value; // 0x90
   uint32_t localizeStringIndex; // 0x94
   char padding_5[0x24]; // 0x98
   uint32_t index; // 0xbc
   char padding_6[0x01]; // 0xc0
   char visibility; // 0xc1
   char padding_7[0x0E]; // 0xc2
#pragma pack(pop)

HudElement* HudElemAlloc(uint32_t client, uint32_t team) {
   return ((HudElement * (*)(uint32_t, uint32_t, uint32_t))0xD6DF30)(client, team, 0);

uint32_t G_FindConfigstringIndex(const char *p0, uint64_t p1, uint32_t p2, int32_t p3, const char *p4) {
   return ((uint32_t(*)(const char *, uint64_t, uint32_t, int32_t, const char *))0x917430)(p0, p1, p2, p3, p4);

uint32_t G_LocalizedStringIndex(const char* text) {
   return G_FindConfigstringIndex(text, 570, 0x28A, 1, "localized string");

uint32_t G_MaterialIndex(const char* material) {
   return G_FindConfigstringIndex(material, 4472, 0x1FF, *(int32_t *)0xC472750, "material");

HudElement* spawnHudElem(uint32_t client, float x, float y, uint32_t rgba) {
   HudElement* hud = HudElemAlloc(client, 0);

   hud->alignOrg = 0x04;
   hud->alignScreen = 0x98;
   hud->x = x;
   hud->y = y;
   hud->argb.argb = __builtin_bswap32(rgba);
   hud->visibility = 0x01;

   return hud;

HudElement *spawnText(uint32_t client, float x, float y, uint32_t rgba, const char *text, uint32_t font, float fontScale) {
   HudElement* hud = spawnHudElem(client, x, y, rgba);

   hud->type = 0x01;
   hud->font = font;
   hud->fontScale = fontScale;
   hud->localizeStringIndex = G_LocalizedStringIndex(text);

   return hud;

HudElement *spawnShader(uint32_t client, float x, float y, uint32_t rgba, const char *material, uint16_t width, uint16_t height) {
   HudElement* hud = spawnHudElem(client, x, y, rgba);

   hud->type = 0x04;
   hud->width = width;
   hud->height = height;
   hud->material = G_MaterialIndex(material);

   return hud;

uint32_t getLevelTime() {
   return *(uint32_t *)(0xC472D60 + 0x04);

void scaleOverTime(HudElement* hud, char useconds, uint16_t width, uint16_t height) {
   hud->fromHeight = hud->height;
   hud->fromWidth = hud->width;
   hud->scaleStartTime = getLevelTime();
   hud->scaleTime = useconds;
   hud->height = height;
   hud->width = width;
void moveOverTime(HudElement* hud, char useconds, float x, float y) {
   hud->fromX = hud->x;
   hud->fromY = hud->y;
   hud->moveStartTime = getLevelTime();
   hud->moveTime = useconds;
   hud->x = x;
   hud->y = y;
Cheers to @DEFAULTDNB for the heads-up of this news on Twitter earlier on! :beer:
PS4 5.05  AW 1.23 Menu Base with Source Code via CMTFrosty.jpg



Senior Member
I would love to see these menus made into BIN payloads I could add to X-Project, I asked CustomHooker and he said it should be possible to convert the elf... we shall see...


Senior Member
@DEFAULTDNB its a matter of easy testing for the devs. You can code your elf in such a way that you can load it over and over again while in game, a payload would require you to load the exploit host first every time.

So in theory you could make it a .bin before you release it but "convert" is the wrong word for it. You would have to c&p the source code into a different project and compile it again.


Senior Member
Maaan Where do you guys always get those header files... that's not the kind of stuff you learn in University

Could you recommend a book to understand that stuff (exploitation, hacking and so on)


Senior Member
@DeathRGH GTAV payloads are like this and people are enjoying them :)

I understand what you’re saying, but for (end users) people who want to cache hosts and play, they can’t use these without another device connected to send the elf.


If you want easy menu development that's where sprx comes in handy. Sprx allows you to easily load and unload with proper clean up. I will eventually release my complete ps4 development suite for loading sprxs though I've been too busy lately to work on it.

something like this:



Senior Member
@oldschoolmodzhd I dont see the point in using sprx's for quick testing, you need to use a usb all the time to transfer the sprx. So unless you have made a payload to run ftp after exiting the web browser, elf's are still better for testing.

Obviously a huge downside is the limitation of librarys and I think those can be used in an sprx, right ?
Recent Articles
PS4 Debug Watch App Port for 6.72 Firmware via Withmetta
Based on the Debug Watch utility by jogolden (Twitter) and the PS4Debug 6.72 Fork by GiantPluto (Twitter), recently I (aka withmetta) recompiled PS4 Debug Watch and got it working on PlayStation 4...
PS4 Syscon Loader Python Script for System Controller Files by SocraticBliss
Following the PS4 SysGlitch Tool and SysCon Glitching Pinout and his PS4 Unfself Tool, today PlayStation 4 developer @SocraticBliss is back with a PS4 Syscon Loader via Twitter tested with the IDA...
XNA RPKGMAN: XNA Remote Package Manager by Cypheron
Hey everyone, following PS4 PKG Sender v1.03 I have created XNA RPKGMAN: XNA Remote Package Manager which is a fully dynamic, lightweight package manager that only requires NodeJS/NPM and runs on...
Bad_Hoist PS4 Toolchain Porting Guide for Unsupported Firmware by Sleirsgoevy
Proceeding his PS4 ROP 8CC Port, Bad_Hoist 6.72 PS4 Webkit Exploit Port and preliminary Checklist to Port the Toolchain, today PlayStation 4 developer sleirsgoevy updated his Github repository...