Category PS4 CFW and Hacks       Thread starter PSXHAX       Start date Sep 13, 2016 at 11:27 PM       7,741       3            
Many moons ago the PS3 Controller EEPROM (Electrically Erasable Programmable Read-Only Memory) was dumped, and moving to the PlayStation 4 generation following zecoxao's recent PS4 SFlash Guide comes a PS4 EEPROM Dumper to (you guessed it :coffee:) dump the console's EEPROM Non-Volatile Storage data.

Download: eeprom.7z (5.39 KB) / eeprom.7z (Mirror)

Below are some related replies from totallynotzecoxao as Twitter tends to blow balls at times with partial embeds:
From Pastebin.com:
Code:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <inttypes.h>


#include <machine/_types.h>
#include <unistd.h>
#include <errno.h>
#include <assert.h>
#include "kmain.h"

#include <arpa/inet.h>
#include <netinet/in.h>

#include <signal.h>

#include <machine/cpufunc.h>

#include <sys/_stdint.h>
#include <sys/sysent.h>
#include <sys/_types.h>
#include <sys/syscall.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <sys/sysctl.h>
#include <sys/ptrace.h>
#include <sys/errno.h>
#include <sys/proc.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/user.h>
#include <sys/mutex.h>
#include <sys/lock.h>
#include <sys/sysproto.h>
#include <sys/uio.h>
#include <sys/wait.h>
#include <machine/reg.h>

#include <ps4/standard_io.h>
#include <ps4/kernel.h>
#include <ps4/register.h>
#include <ps4/socket.h>
#include <ps4/stream.h>
#include <ps4/type.h>

#include <sce/kernel.h>


#define IP(a, b, c, d) (((a) << 0) + ((b) << 8) + ((c) << 16) + ((d) << 24))
#define TCP_NODELAY 1



int main(int argc, char **argv)
{
    void *sceSblACMgrIsVideoplayerProcess;
    //char *sceSblRCMgrIsAllowDisablingAslr;
    char *mem;
    char *mem2;
 
    int64_t ret;
    int r;
    //char *dump;

    printf("uid: %zu\n", getuid());
    ps4KernelCall(ps4KernelPrivilegeEscalate);
    //ps4KernelCall(ps4KernelDebugEnable);  //causing uid 1 and crash
    printf("uid: %zu\n", getuid());

    sceSblACMgrIsVideoplayerProcess = (void *)ps4KernelCall(ps4KernelDlSym, "sceSblACMgrIsVideoplayerProcess");
    //sceSblRcMgrIsAllowDisablingAslr = (void *)ps4KernelCall(ps4KernelDlSym, "sceSblRcMgrIsAllowDisablingAslr");
 
    mem = malloc(64);
    memset(mem, 0x90, 64);
    strcpy(mem, "Hello World!");

    printf("mem: %p: %s\n", mem, mem);
    ps4StandardIoPrintHexDump(mem, 48);
    r = ps4KernelExecute((void *)kmain1, mem, &ret, NULL);
    printf("mem: %p: %s\n", mem, mem);
    ps4StandardIoPrintHexDump(mem, 48);
    printf("[K1] r: %i, ret: %"PRIxPTR"\n", r, ret);

    ps4KernelCall(ps4KernelMemoryCopy, sceSblACMgrIsVideoplayerProcess, mem, 32);
    ps4StandardIoPrintHexDump(mem, 48);

    r = ps4KernelExecute((void *)kmain2, mem, &ret, NULL);
    printf("[K2] r: %i, ret: %"PRIxPTR"\n", r, ret);

    ps4KernelCall(ps4KernelMemoryCopy, sceSblACMgrIsVideoplayerProcess, mem, 32);
    ps4StandardIoPrintHexDump(mem, 48);

    r = ps4KernelExecute((void *)kmain3, mem, &ret, NULL);
    printf("[K3] r: %i, ret: %"PRIxPTR"\n", r, ret);

    ps4KernelCall(ps4KernelMemoryCopy, sceSblACMgrIsVideoplayerProcess, mem, 32);
    ps4StandardIoPrintHexDump(mem, 48);

/* Create socket for TCP-Dump */

    struct sockaddr_in server;

    server.sin_len = sizeof(server);
    server.sin_family = AF_INET;
    server.sin_addr.s_addr = IP(192, 168, 1, 65);
    server.sin_port = htons(9023);
    memset(server.sin_zero, 0, sizeof(server.sin_zero));
    int sock = socket(AF_INET, SOCK_STREAM, 0);
    connect(sock, (struct sockaddr *)&server, sizeof(server));
 
    int flag = 1;
    setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (char *)&flag, sizeof(int));
 
/* Dump E^2prom with banks and blocks :) */

    int64_t (*icc_nvs_read) (uint64_t bank_id,uint64_t block_id,uint64_t offset,uint64_t size,uint8_t *data_ptr) = (void *) 0xFFFFFFFF82639CD0;

    uint8_t buffed[0x10];
    int bank;
    int block;
    int h = 0;
    int u;

    printf("    [+] Enter the bank id you wish to dump with:");
    scanf("%d",&bank);
    printf("         [+] Enter the block id you wish to dump with:");
    scanf("%d",&block);
 
    if(block == 0){
        u == 0x3000;
    }
    else if(block == 1){
        u = 0x1000;
    }
    else if(block == 2){
        u = 0x800;
    }
    else if(block == 3){
        u = 0x800;
    }
    else if(block == 4){
        u = 0x3000;
    }
    else if(block > 4 || block < 0){
        printf("invalid block id, try using 0-4\n");
    }
    if(bank > 1 || bank < 0){
        printf("invalid bank id, try using 0-1\n");
    }
    else if(bank <= 1 && bank >= 0 && block <= 4 && block >= 0){
        printf("        [+] Dumping via icc_nvs_read with bank id:%d and block id:%d\n", bank, block);
        for(h=0;h<u;h=h+0x10){
            int64_t retz = ps4KernelCall(icc_nvs_read,bank, block, h, 0x10, buffed);
            if(retz == -1)perror("icc_nvs_read");
            else if (retz == 0){
                send(sock,buffed,0x10,0);
            }
        }
    }

/* Close sockets and free the mapped memory */
close(sock);
free(mem);


return EXIT_SUCCESS;
Download: syscon_die.jpg (13.76 MB)
Download: ps4_syscon.tif (209 MB)
PS4 SysCon Renesas Image: PS4 SysCon Chip Optical EFD / EDF Stitch
To quote from @zecoxao in the Tweet above: It seems that ps4 syscon is a custom Renesas RL78/G13 (100 pin) and it looks like superslim is also one of those.
Thanks to both and @mcmrc1 and @toni1988 for the news tip in the PSXHAX Shoutbox!
PS4 EEPROM Dumper.jpg
 

Comments

Recent Articles
Sony PS4 / PS3 Blu-ray Disc Drive Internals & Security by Oct0xor at 36c3
Last year they covered Exploiting PS4 Video Apps, and at the 36th annual Chaos Communication Congress (36c3) from December 27th to the 30th 2019 in Leipzig Germany scene developer @Octopus (aka...
Sony PS4 Remote Play: Now on More Devices Latest Promo Video
Proceeding the PSPlay Free Trial of the unofficial Android app and yesterday's Google Stadia release that includes 22 Stadia Launch Titles, today Sony unleashed their latest PS4 Remote Play - Now...
Baikal Support Added to PlayStation 4 Linux Loader by Valeery
Since the PSXITArch Linux v2 Guide, Spine PS4 Emulator for Linux Demo, CECPS4 Linux Scripts and PS4 Gentoo Linux development updates support for the Baikal chip was recently added to the...
PS5 DualShock 5 (DS5) Controller Images Surface in Japanese Patent
Following Sony's New Controller Patent, PS5 Devkit Prototype Leak and recent PS5 Transition Update in preparation for the PlayStation 5 2020 Launch today some PS5 DualShock 5 (DS5) Controller...
Top