PS4 AIO v1.4.0 with 4.05 Support and BO3 Mods by MODDED WARFARE!

Following his previous update, today PlayStation 4 developer @MODDEDWARFARE made available PS4 AIO v1.4.0 with a new demo video on his YouTube Channel which includes exploited 4.05 Firmware support alongside BO3 mods followed by v1.5.0!

Download: PS4-AIO-Setup 1.4.0.exe (42.6 MB) / PS4 AIO Portable 1.4.0.zip (42.1 MB) / PS4 AIO v1.5.0

To quote from the video's caption: PS4-AIO Release with 4.05 Support & BO3 Mods! (PS4 Jailbreak)

Here's an updated version of my PS4-AIO tool which now supports 4.05.

Please download and install the latest version rather than trying to update any older versions.

Playing Ghosts For Free & Cool Mods On 4.05 (PS4 Jailbreak & Homebrew)

[PS4/BO3] Real Time Editing using my own tool (God Mode, Ammo, Points, etc..)

[PS4/RELEASE] Open Source Black Ops III Zombie RTM Tool [5.05/4.55/4.05]

Download: PS4 RTM Tool MrNiato v1.0.zip / PS4 RTM Tool MrNiato v1.0.zip (Mirror) / PS4 RTM Tool MrNiato v1.0.zip (1.26.zip) via MrNiato, to quote: HOW TO:

1) With your PS4 go to this link: http://crack.bargains/505k/

2) If you have message "Youre all set!" close the browser and reopen it again then you will have a message "Awaiting Payload...".

3) Open NETCAT GUI, change your IP Adress with the one of your PS4, change "9023" by "9020", select the payload in the folder then inject it !

4) Launch Black ops III in Zombie mod, connect the PS4 and.... enjoy !!

 

[vampirexx]

please can you update the app Moddedwarfare so it wont freeze peeking ram or autopicking the right length? How we know how long is the length range of memory of each game??

 

[Seedlord]

Yeah save it as a .bin file. You need to peak a large amount of memory. Basically keep increasing the length until the console freezes then peak just below that and dump it. That way you are searching through pretty much all of the games memory.

The saved file does not have the adresses.
How will I know on which adress i have to poke when i search in the dumped file?

 

[MODDEDWARFARE]

please can you update the app Moddedwarfare so it wont freeze peeking ram or autopicking the right length? How we know how long is the length range of memory of each game??

I can't. I cannot stop it freezing if you peek a protected memory address. The start address is entered for you 0x400000. You shouldn't really be using this with game dumps as the memory seems different and you hit a lot more protected memory addresses for some reason. Not sure why.

The saved file does not have the adresses.
How will I know on which adress i have to poke when i search in the dumped file?

Just use some basic math. If you find a value in cheat engine it will give you an address. You just add that address to the base address you peeked and that will give you the address.

 

[Ps4lover]

Btw modded warfare
Still can't get the IP part to show up even after you showed the screen shots
It did show all the bottom button after I changed to optimize screen or whatever though
But that IP setting is missing.
Tried both portable and full version

 

[talixme]

Hello everyone; @MODDEDWARFARE

Im trying so hard to understand the peek and poke option from this GREAT app.

Here are my test and conclusion:

Game: Mighty No.9
1º Start game, Peek and poke options, press peek, all ok the data is dump.
      Base Address : 0x400000
      Length:            0x100
2º Im gonna try poke the max data as possible.
      Base Address : 0x400000
      Length:            0x1000000
      All OK

      Base Address : 0x400000
      Length:            0x2000000
      The game and the app Freeze

      Base Address : 0x400000
      Length:            0xC000000
      All OK
So the max address that i can access is 2000000

3º Now that i know the max addres i start the process,

      I have 2 lives

      Base Address : 0x400000
      Length:            0xC000000
      1º Poke
      2º Dump Window
      3º Save as bin

      I have 1 live

      Base Address : 0x400000
      Length:            0xC000000
      1º Poke
      2º Dump Window
      3º Save as bin

      I have 0 lives

      Base Address : 0x400000
      Length:            0xC000000
      1º Poke
      2º Dump Window
      3º Save as bin

      I have 2 lives

      Base Address : 0x400000
      Length:            0xC000000
      1º Poke
      2º Dump Window
      3º Save as bin

      I have 1 live

      Base Address : 0x400000
      Length:            0xC000000
      1º Poke
      2º Dump Window
      3º Save as bin

4º I have 5 dump of the memory. They are 16mb of size
     ALL THE DUMPS HAVE THE SAME DATA. Saw it and compare with a hex editor.

When i start with Cheat Engine , no results of any kind after first search

And thats my problem, is this app really taking the memory?? Or is a real time editor of eboot.bin If is a editor, first i need to know the address of real memory to know the what i have to poke in the eboot. How do you know the Base address of game?and were the real memory that changes address is?

Sorry for the english i hope you understand.

THANKS A LOT

 

[MODDEDWARFARE]

Yeah please don't be using this on fake package file games. The issue is you're not peeking enough memory and you're hitting a protected section of memory which is why it freezes. Again not sure why this happens with .pkg file games as there seems to be more protected memory segments than the disc version.

Maybe someone with more knowledge on that can explain. Anyway point is 16MB is not a large enough dump so that's why you're not finding anything.

 

[DeathRGH]

@MODDEDWARFARE Any chance you could tell me what api you are using for the rtm stuff ?

 

[droeboy17]

Can you make a detailed video or text on how to connect the tool to a PS4?

 

[Pretinaverse]

Hello everyone;
When i start with Cheat Engine , no results of any kind after first search

And thats my problem, is this app really taking the memory?? Or is a real time editor of eboot.bin If is a editor, first i need to know the address of real memory to know the what i have to poke in the eboot. How do you know the Base address of game?and were the real memory that changes address is?

Sorry for the english i hope you understand.

THANKS A LOT

I'm still trying myself to find some value to edit in ffxv, but, there are some things i discover and i'm happy to tell you.

First, are you sure the game freeze permanently? When the length is to great, the game and the AIO both freeze while dumping the data. This is normal with large files. In my case, the peek last from 1 to 2 minutes with the game frozen, and when i dumped the windows, the file created weighted 101 MB.

And second, i think cheatengine can't scan files in the usual way we use it with processes. You need to press in memory view and there search the hex value you want.

So, this are my findings.

I was trying to find something to mod in ffxv (cusa01615)

Base address: 0x400000
Length: 0x6700000 (if i try 6800000 the game freeze permanently)

I peeked and created 2 dump files. In one, i have 13 potions and, in the other, i have 12 potions.

13 in hex is 0D
12 in hex is 0C

0D and 0C are too common, so, i found a lot of them in the dumps.
In the end, i decided to think in another way. I opened a cmd windows and used the following command:

fc /b C:\Users\pretinaverse\Desktop\pocion12.bin C:\Users\pretinaverse\Desktop\pocion13.bin

The command retrieved the hex differences between the 2 files and i was able to search in there for the values 0D and 0C. BUT, i couldn't find any 0C changed to 0D in the other file.

So, this is what i think:

First, maybe the values in the game are encrypted somehow? I found that in some other games from other consoles, the values are backward. So, instead of 0D, i should search for D0. But obviously this didn't work in ffxv.

And second, maybe after the protected memory that froze the game with the peek, there is another section of memory to search?

So, this is it. In case someone wanted to see my 2 dump files, here they are:

pocion12.bin / pocion13.bin

And here are the list of changes between both files obtained with the "fc /b" command:

https://pastebin.com/QJtkQgv6

C:\Users\pretinaverse>fc /b C:\Users\pretinaverse\Desktop\pocion12.bin C:\Users\pretinaverse\Desktop\pocion13.bin
Comparando archivos C:\USERS\PRETINAVERSE\DESKTOP\pocion12.bin y C:\USERS\PRETINAVERSE\DESKTOP\POCION13.BIN
042E7208: 02 00
042E7B20: C9 95
042E7B21: 09 EA
042E7B22: E8 8B
042E7B23: AF A7
042E7B48: 48 60
042E7B49: 31 2D
042E7B80: D8 10
042E7B98: 76 64
042E7BB8: D0 A8
042E7BB9: E4 F1
042E7BF0: E0 58
042E7BF1: E5 E6
042E7C38: 5F 4D
042E8470: D0 B0
042E8471: 97 84
042E84A8: 80 90
042E84A9: A2 A1
042E84C0: 86 75
042E84E0: 40 20
042E84E1: 19 04
042E8518: 38 30
042E8519: B6 B4
042E8530: 8D 7C
042E8548: 58 A8
042E8549: 43 1D
042E8551: 1E 87
042E8558: F8 68
042E8559: 2D 24
042E8564: FF EF
042E8578: 78 D8
042E8579: D3 D6
042E8580: 10 28
042E8588: 10 28
042E8589: D5 D2
042E8594: 01 11
042E8618: A4 51
042E8619: E2 A8
042E861A: E7 8B
042E861B: AF A7
042E9090: 20 58
042E9091: 9C 88
042E9098: 90 C8
042E9099: B6 C0
042E90B9: DE D5
042E90C9: DE D5
042E9149: 60 20
042E914A: FC 00
042E914B: 17 18
042E9178: 20 60
042E9179: AC F3
042E91B0: A8 58
042E91B1: DC E1
042E9328: 13 00
042E932C: 13 00
042E9330: 13 D0
042E9331: 98 8B
042E9340: 01 A1
042E9341: 98 8B
042E9350: 02 A2
042E9351: 98 8B
042E9360: 03 A3
042E9361: 98 8B
042E9370: 04 A4
042E9371: 98 8B
042E9380: 05 A5
042E9381: 98 8B
042E9390: 06 A6
042E9391: 98 8B
042E93A0: 07 A7
042E93A1: 98 8B
042E93B0: 08 A8
042E93B1: 98 8B
042E93C0: 09 A9
042E93C1: 98 8B
042E93D0: 0A AA
042E93D1: 98 8B
042E93E0: 0B AB
042E93E1: 98 8B
042E93F0: 0C AC
042E93F1: 98 8B
042E9400: 0D AD
042E9401: 98 8B
042E9410: 0E AE
042E9411: 98 8B
042E9420: 0F AF
042E9421: 98 8B
042E9430: 10 B0
042E9431: 98 8B
042E9440: 11 B1
042E9441: 98 8B
042E9450: 12 B2
042E9451: 98 8B
042E9460: 13 B3
042E9461: 98 8B
042E9470: E4 B4
042E9471: 97 8B
042E9480: E5 B5
042E9481: 97 8B
042E9490: E6 B6
042E9491: 97 8B
042E94A0: E7 B7
042E94A1: 97 8B
042E94B0: E8 B8
042E94B1: 97 8B
042E94C0: E9 B9
042E94C1: 97 8B
042E94D0: EA BA
042E94D1: 97 8B
042E94E0: EB BB
042E94E1: 97 8B
042E94F0: EC BC
042E94F1: 97 8B
042E9500: ED BD
042E9501: 97 8B
042E9510: EE BE
042E9511: 97 8B
042E9520: EF BF
042E9521: 97 8B
042E9530: F0 C0
042E9531: 97 8B
042E9540: F1 C1
042E9541: 97 8B
042E9550: F2 C2
042E9551: 97 8B
042E9560: F3 C3
042E9561: 97 8B
042E9570: F4 C4
042E9571: 97 8B
042E9580: F5 C5
042E9581: 97 8B
042E9590: F6 C6
042E9591: 97 8B
042E95A0: F7 C7
042E95A1: 97 8B
042E95B0: F8 C8
042E95B1: 97 8B
042E95C0: F9 C9
042E95C1: 97 8B
042E95D0: FA CA
042E95D1: 97 8B
042E95E0: FB CB
042E95E1: 97 8B
042E95F0: FC CC
042E95F1: 97 8B
042E9600: FD CD
042E9601: 97 8B
042E9610: FE CE
042E9611: 97 8B
042E9620: FF CF
042E9621: 97 8B
042E9630: 00 D0
042E9631: 98 8B
042EA0C0: F0 78
042EA0C1: 6E 73
042EA0E8: A0 60
042EA0E9: 0E 24
042EA30C: 01 00
042EA33C: 01 00
042EA4F8: FC CB
042EA4F9: 6B 54
042EA4FA: B7 5B
042EA4FB: 1E 16
042FB234: 12 00
042FB23C: 00 01
042FB23D: 01 00
042FB240: 00 0F
042FB241: 00 27
042FB248: 5A 00
042FB249: 02 00
042FB24A: 2A 00
042FB24B: 40 00
042FB250: 3F 00
042FB258: 00 01
042FB259: 01 00
042FB25C: 00 0F
042FB25D: 00 27
042FB260: 50 5A
042FB261: 22 55
042FB262: 4D 4E
042FB264: 5A 00
042FB265: 55 00
042FB266: 4E 00
042FB267: 40 00
042FB26C: 66 01
042FB274: 00 01
042FB275: 01 00
042FB27C: 5C 20
042FB27D: E3 A0
042FB27E: 81 83
042FB280: 20 00
042FB281: A0 90
042FB282: 83 75
042FB288: 92 00
042FB290: 00 01
042FB291: 01 00
042FB294: 00 0F
042FB295: 00 27
042FB29C: E1 00
042FB29D: 29 00
042FB29F: 41 00
042FB2A0: AD 63
042FB2A1: 82 83
042FB2A4: 99 31
042FB2A5: 01 00
042FB2AC: 00 01
042FB2AD: 01 00
042FB2BC: 16 21
042FB2BD: 78 7D
042FB2C0: 08 FD
042FB2C1: 07 01
042FB2C8: 00 01
042FB2C9: 01 00
042FB2E4: 00 01
042FB2E5: 01 00
042FB300: 00 01
042FB301: 01 00
042FB302: 0F 00
042FB303: 27 00
042FB304: 00 0F
042FB305: 00 27
042FB308: 00 54
042FB309: 00 12
042FB30A: 00 44
042FB30B: 00 41
042FB30C: 54 00
042FB30D: 12 00
042FB30E: 44 00
042FB30F: 41 00
042FB31C: 00 01
042FB31D: 01 00
042FB31E: 0F 00
042FB31F: 27 00
042FB320: 00 0F
042FB321: 00 27
042FB324: 00 85
042FB325: 00 26
042FB326: 00 0C
042FB327: 00 42
042FB328: 85 00
042FB329: 26 00
042FB32A: 0C 00
042FB32B: 42 00
042FB338: 00 01
042FB339: 01 00
042FB354: 00 01
042FB355: 01 00
042FB370: 00 01
042FB371: 01 00
042FB38C: 00 01
042FB38D: 01 00
042FB394: B3 C1
042FB398: C1 B3
042FB3A8: 00 01
042FB3A9: 01 00
042FB47C: 44 47
042FB480: 04 01
042FB488: 00 01
042FB489: 01 00
042FB490: 54 30
042FB491: 90 2A
042FB492: 49 A3
042FB494: 30 00
042FB495: 2A 00
042FB496: A3 00
042FB497: 41 00
042FB498: EA EB
042FB49C: 02 01
042FB4A4: 00 01
042FB4A5: 01 00
042FB4B0: AF 00
042FB4B1: 73 39
042FB4B2: 23 D2
042FB4B3: 42 41
042FB4B4: D6 DA
042FB4B8: 05 01
042FB4C0: 00 01
042FB4C1: 01 00
042FB4C8: 96 05
042FB4C9: 18 F8
042FB4CA: 6C 73
042FB4CC: 05 6B
042FB4CD: F8 0C
042FB4CE: 73 69
042FB4D0: C4 C6
042FB4D4: 03 01
042FB4DC: 00 01
042FB4DD: 01 00
042FB4E4: 0C 61
042FB4E5: D0 4A
042FB4E6: 9B A2
042FB4E8: 61 F2
042FB4E9: 4A AB
042FB4EA: A2 92
042FB4F8: 00 01
042FB4F9: 01 00
042FB508: 54 4A
042FB509: 73 7A
042FB50C: FD 07
042FB50D: 07 01
042FB514: 00 01
042FB515: 01 00
042FB520: AE 8E
042FB521: 80 18
042FB522: 9B CE
042FB523: 46 45
042FB530: 00 01
042FB531: 01 00
04302A18: D7 76
04303BE8: 45 41
043052D8: CE BC
043052D9: 5C 56
04332338: 02 08

@MODDEDWARFARE if you have any ideas seeing this, i hope you can share them with us. Or if someone else can deduce something, please tell us

 

[talixme]

First, are you sure the game freeze permanently? When the length is to great, the game and the AIO both freeze while dumping the data. This is normal with large files. In my case, the peek last from 1 to 2 minutes with the game frozen, and when i dumped the windows, the file created weighted 101 MB.

Nice!!!

What i see in the dumps is that the real changes start in;

42E7208h + 400000

So what we see in here is the part of the eboot.bin that dont chage.Then the idea is start dumping from 4600000 with diferents length.

Ill keep triying with games smallers to see if after a freeze we can jump that part of memory that is "protect"

Thanks , i thought that this don't care anyone