Category PS4 CFW and Hacks       Thread starter PSXHAX       Start date May 2, 2019 at 5:47 AM       11,484       31            
Status
Not open for further replies.
Following fail0verflow's PS4 Crashdumps / Kernel Dumping and PS4 Aux Hax Documentation alongside his recent PS4 Sflash0 Pack Tool, PlayStation 4 developer @SocraticBliss made available a PS4 Crash Dump Decryptor Python Script for scene devs on Twitter today.

Download: ps4_crash_dump_decryptor.py / ps4_mono_to_il.py (PS4 MONO binaries to IL MONO binaries - updated script to work with the PS4's .dll.sprx and .exe.sprx files to turn them into .dll and .exe to be inspected with something like dnSpy)

From the Tweets below, here's what he had to say on it: "Still tweaking this somewhat, but decided to take a swing at fail0verflow's PS4 Crash Dump Decryptor script (since at this point its fairly outdated), enjoy!

Thanks goes out to notzecoxao, CelesteBlue123, and most of all fail0verflow! :)"

ps4_crash_dump_decryptor.py
Code:
#!/usr/bin/env python
'''

Crash Dump Decryptor by SocraticBliss (R)

Thanks to...
# Team FailOverflow
# CelesteBlue
# zecoxao

1) Replace  AES KEY # with the actual key
2) Replace HMAC KEY # with the actual key
3) Have orbiscore-systemcrash.orbisstate in the same directory
4) python ps4_crash_dump_decryptor.py

'''

from binascii import unhexlify as uhx, hexlify as hx
from Crypto.Cipher import AES
from Crypto.Hash import HMAC, SHA256
import struct
import sys

class Header:
    def __init__(self, f):
        __slots__ = ('VERSION', 'OPEN_PSID', 'PADDING_1', 'PADDING_2',
                     'UNKNOWN', 'STATE', 'DATA_LEN', 'PADDING_3', 'DATA_HMAC')

        # Secure Header
        self.VERSION   = struct.unpack('<I', f.read(4))[0]
        self.PSID_ENC  = struct.unpack('<16s', f.read(16))[0]
        self.PADDING_1 = struct.unpack('<I13Q', f.read(108))[0]
   
        # Padding
        self.PADDING_2 = struct.unpack('<4Q', f.read(32))[0]
   
        # Final Header
        self.UNKNOWN   = struct.unpack('<2Q', f.read(16))[0]
        self.STATE     = struct.unpack('<Q', f.read(8))[0]
        self.DATA_LEN  = struct.unpack('<Q', f.read(8))[0]
        self.PADDING_3 = struct.unpack('<2Q', f.read(16))[0]
        self.DATA_HMAC = struct.unpack('<4Q', f.read(32))[0]

KEYS = [
    ['',''],
    ['AES KEY 1','HMAC KEY 1'], # 1.01
    ['AES KEY 2','HMAC KEY 2'], # 3.55
    ['AES KEY 3','HMAC KEY 3'], # 4.05
    ['AES KEY 4','HMAC KEY 4'], # 4.07
]

def aes_ecb_encrypt(key, data):
    return AES.new(uhx(key), AES.MODE_ECB).encrypt(data)

def aes_ecb_decrypt(key, data):
    return AES.new(uhx(key), AES.MODE_ECB).decrypt(data)

def hmac_sha256(key, data):
    return HMAC.new(uhx(key), msg = data, digestmod = SHA256).digest()

# PROGRAM START
def main (argc, argv):

    # 1) Read the Header
    with open('orbiscore-systemcrash.orbisstate', 'rb') as f:
        ps = Header(f)
   
        KD = KEYS[ps.VERSION][0]
        KC = KEYS[ps.VERSION][1]
        print('\nEncrypted PSID: %s' % hx(ps.PSID_ENC).upper())
   
        PSID_DEC = aes_ecb_decrypt(KD, ps.PSID_ENC)
        print('\nPSID: %s' % hx(PSID_DEC).upper())
        
        # HMAC DIGEST
        DIGEST = hmac_sha256(KC, ps.PSID_ENC)
        print('HASH: %s' % hx(DIGEST).upper())
           
        KD = DIGEST[0x10:]
        KC = DIGEST[:0x10]
          
        print('\nAES : %s' % hx(KC).upper())
        print('HMAC: %s' % hx(KD).upper())
   
        # 2) Dump Starts Here
        f.seek(0x4000)
        DATA_ENC = f.read()

    # 3) Utilize the proper key set to decrypt the data
    IV = '0000000000000000'
    DATA = AES.new(KD, AES.MODE_CBC, IV).decrypt(DATA_ENC)

    # 4) Save the decrypted data
    with open('debug.bin', 'wb') as f:
        f.write(DATA)
   
    print('\nSaved to debug.bin')

if __name__=='__main__':
    sys.exit(main(len(sys.argv), sys.argv))
Crash Dump KeySeed
Code:
kd, kc
KEYS = [
    ['',''],
    [b'8F86DDEDCBF24A44EB6C30607AA26F76', b'4125715AAB8B78E569F512E65CA62DD3'], # 1.01-3.15
    [b'63AEF79DC49969FD8997B2F60DB65F81', b'1800A5DE2D0F0652FA5602FFADD440AA'], # 3.50-3.70
    [b'05205507B7A154E08A7A38B1897563FB', b'AD334D142EAF8B9438DB00D1D0BFF357'], # 4.00-4.05
    [b'04C1A0961BBB0CB2140361B0956AAABA', b'052D2FF3014FB38CAAF6898CB899982A'], # 4.06-4.07 (to test)
]
Sealed Key Values

Keyset 1

AES-CBC-128
Key = B5DAEFFF39E6D90ECA7DC5B029A8153E

SHA-256-HMAC
Hash = 8707960A53468D6C843B3DC9624E22AF

Keyset 2
AES-CBC-128
Key = EC0D347E2A7657471F1FC33E9E916FD4

SHA-256-HMAC
Hash = A6D6583D3217E87D9BE9BCFC4436BE4F

Keyset 3
AES-CBC-128
Key = 51D8BFB4E387FB4120F081FE33E4BE9A

SHA-256-HMAC
Hash = FFF9BDEA803B14824C61850EBB084EE9

Keyset 4
AES-CBC-128
Key = 346B5D231332AC428A44A708B1138F6D

SHA-256-HMAC
Hash = 5DC6B8D1A3A0741852A7D44268714824

Dumped with getSealedKeySecret on 5.05

PS4 Crash Dump Decryptor Python Script via SocraticBliss.jpg
 

Comments

Status
Not open for further replies.

FalconIndestro

Member
Contributor
Verified
@sanyo23 ok. I understand your point.

What i see with that is the dev's had those exploits and cause they were patched they decided to release it to public. These days, they might have some newer ones (or not) and they don't see the need to release it to public because since 1.74 you got 3.55 / 4.55 / 5.05 and some ports to lower firmwares and all of those have good tools for the homebrew scene.

Also, all have one thing in common, they were all patched. And some of those (if not all) were public CVE's or known bugs that S0ny "forgot" to fix. If some new exploit exist that isn't patched or it's a known public bug or is a public one that is under the radar so far or it isn't known, so if they don't patch it, it won't see the light of day, till some of the dev's release it. I've never seen some 0day PS4 public exploit release.

Despite most people only want a new exploit for backups, the dev's like to know how the system works, research, challenge, learning, whatever... so they don't see the need for a public release. With this research they might find something that might open PS4 "doors" to public for good, like you have seen in previous scenes. And this might take long.

Don't get me wrong, i want a new exploit to the PS4 scene but also i do understand if they don't wanna release it. Because exploits are limited. There isn't a unlimited chain of exploits ;)

Better to have a "ultimate exploit" than some that might get patched in just a few days. For that, patience is the key. Or just forget about it and update to latest firmware and enjoy online with friends.
 

SocraticBliss

Developer
Member
Contributor
I mean I get it, people are pissed because they can't run the latest games, so they vent on forums, do they deserve the games? No not really, but I guess that's besides the point. If you want homebrew, you got it.

For the people who are waiting for new exploits for playing these newer games, you are essentially waiting for Sony to patch the ones that are still out there. Once Sony patches the exploit, there is a higher chance of it being released publicly, as it is no longer of any use, there is hardly any chance that working exploit will be released publicly before Sony patches it. These systems are just way too secure for any one person to lone ranger it, plus it would be a huge waste since Sony would just patch it the next software update.
 

mavianka

Member
Contributor
Can you install the game on an external hard drive connected to the current version of PS4, connect the external hard drive to the PSP in version 5.05, transfer the game to the computer via FTP, reduce the version of the game to work on 5.05?
 

BwE

Developer
Senior Member
Contributor
Verified
You guys make me lol

PS4s are cheap and so are the games.

Buy a second PS4, update it. Enjoy life.
 
Status
Not open for further replies.
Recent Articles
Mortal Kombat 11 Kombat Swap Pack (EU / US) PS4 FPKG Mods by GrimDoe
Since my previous Mortal Kombat XL PS4 Skin Mod Demo and Friday The 13th: The Game PS4 RTM Trainer, here's a Mortal Kombat 11 Kombat Swap Pack from me (GrimDoe on Twitter) alongside some new...
PS4 Debug Watch App Port for 6.72 Firmware via Withmetta
Based on the Debug Watch utility by jogolden (Twitter) and the PS4Debug 6.72 Fork by GiantPluto (Twitter), recently I (aka withmetta) recompiled PS4 Debug Watch and got it working on PlayStation 4...
PS4 Syscon Loader Python Script for System Controller Files by SocraticBliss
Following the PS4 SysGlitch Tool and SysCon Glitching Pinout and his PS4 Unfself Tool, today PlayStation 4 developer @SocraticBliss is back with a PS4 Syscon Loader via Twitter tested with the IDA...
XNA RPKGMAN: XNA Remote Package Manager by Cypheron
Hey everyone, following PS4 PKG Sender v1.03 I have created XNA RPKGMAN: XNA Remote Package Manager which is a fully dynamic, lightweight package manager that only requires NodeJS/NPM and runs on...
Top