Many moons ago the PS3 Controller EEPROM (Electrically Erasable Programmable Read-Only Memory) was dumped, and moving to the PlayStation 4 generation following zecoxao's recent PS4 SFlash Guide comes a PS4 EEPROM Dumper to (you guessed it ) dump the console's EEPROM Non-Volatile Storage data.
Download: eeprom.7z (5.39 KB) / eeprom.7z (Mirror)
Below are some related replies from totallynotzecoxao as Twitter tends to blow balls at times with partial embeds:
Download: syscon_die.jpg (13.76 MB)
Download: ps4_syscon.tif (209 MB)
PS4 SysCon Renesas Image: PS4 SysCon Chip Optical EFD / EDF Stitch
To quote from @zecoxao in the Tweet above: It seems that PS4 syscon (PS4 Syscon Research & Development Repository) is a custom Renesas RL78/G13 (100 pin) and it looks like superslim is also one of those.
Thanks to both and @mcmrc1 and @toni1988 for the news tip in the PSXHAX Shoutbox!
Download: eeprom.7z (5.39 KB) / eeprom.7z (Mirror)
Below are some related replies from totallynotzecoxao as Twitter tends to blow balls at times with partial embeds:
- it dumps this -> Non_Volatile_Storage
- dumps your tokens and flags
- zero point, unless you are interested in documenting things
- if you ever had a ps3, it's the equivalent of SYSCON's EEPROM readable data through lv1
Code:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <inttypes.h>
#include <machine/_types.h>
#include <unistd.h>
#include <errno.h>
#include <assert.h>
#include "kmain.h"
#include <arpa/inet.h>
#include <netinet/in.h>
#include <signal.h>
#include <machine/cpufunc.h>
#include <sys/_stdint.h>
#include <sys/sysent.h>
#include <sys/_types.h>
#include <sys/syscall.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <sys/sysctl.h>
#include <sys/ptrace.h>
#include <sys/errno.h>
#include <sys/proc.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/user.h>
#include <sys/mutex.h>
#include <sys/lock.h>
#include <sys/sysproto.h>
#include <sys/uio.h>
#include <sys/wait.h>
#include <machine/reg.h>
#include <ps4/standard_io.h>
#include <ps4/kernel.h>
#include <ps4/register.h>
#include <ps4/socket.h>
#include <ps4/stream.h>
#include <ps4/type.h>
#include <sce/kernel.h>
#define IP(a, b, c, d) (((a) << 0) + ((b) << 8) + ((c) << 16) + ((d) << 24))
#define TCP_NODELAY 1
int main(int argc, char **argv)
{
void *sceSblACMgrIsVideoplayerProcess;
//char *sceSblRCMgrIsAllowDisablingAslr;
char *mem;
char *mem2;
int64_t ret;
int r;
//char *dump;
printf("uid: %zu\n", getuid());
ps4KernelCall(ps4KernelPrivilegeEscalate);
//ps4KernelCall(ps4KernelDebugEnable); //causing uid 1 and crash
printf("uid: %zu\n", getuid());
sceSblACMgrIsVideoplayerProcess = (void *)ps4KernelCall(ps4KernelDlSym, "sceSblACMgrIsVideoplayerProcess");
//sceSblRcMgrIsAllowDisablingAslr = (void *)ps4KernelCall(ps4KernelDlSym, "sceSblRcMgrIsAllowDisablingAslr");
mem = malloc(64);
memset(mem, 0x90, 64);
strcpy(mem, "Hello World!");
printf("mem: %p: %s\n", mem, mem);
ps4StandardIoPrintHexDump(mem, 48);
r = ps4KernelExecute((void *)kmain1, mem, &ret, NULL);
printf("mem: %p: %s\n", mem, mem);
ps4StandardIoPrintHexDump(mem, 48);
printf("[K1] r: %i, ret: %"PRIxPTR"\n", r, ret);
ps4KernelCall(ps4KernelMemoryCopy, sceSblACMgrIsVideoplayerProcess, mem, 32);
ps4StandardIoPrintHexDump(mem, 48);
r = ps4KernelExecute((void *)kmain2, mem, &ret, NULL);
printf("[K2] r: %i, ret: %"PRIxPTR"\n", r, ret);
ps4KernelCall(ps4KernelMemoryCopy, sceSblACMgrIsVideoplayerProcess, mem, 32);
ps4StandardIoPrintHexDump(mem, 48);
r = ps4KernelExecute((void *)kmain3, mem, &ret, NULL);
printf("[K3] r: %i, ret: %"PRIxPTR"\n", r, ret);
ps4KernelCall(ps4KernelMemoryCopy, sceSblACMgrIsVideoplayerProcess, mem, 32);
ps4StandardIoPrintHexDump(mem, 48);
/* Create socket for TCP-Dump */
struct sockaddr_in server;
server.sin_len = sizeof(server);
server.sin_family = AF_INET;
server.sin_addr.s_addr = IP(192, 168, 1, 65);
server.sin_port = htons(9023);
memset(server.sin_zero, 0, sizeof(server.sin_zero));
int sock = socket(AF_INET, SOCK_STREAM, 0);
connect(sock, (struct sockaddr *)&server, sizeof(server));
int flag = 1;
setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (char *)&flag, sizeof(int));
/* Dump E^2prom with banks and blocks :) */
int64_t (*icc_nvs_read) (uint64_t bank_id,uint64_t block_id,uint64_t offset,uint64_t size,uint8_t *data_ptr) = (void *) 0xFFFFFFFF82639CD0;
uint8_t buffed[0x10];
int bank;
int block;
int h = 0;
int u;
printf(" [+] Enter the bank id you wish to dump with:");
scanf("%d",&bank);
printf(" [+] Enter the block id you wish to dump with:");
scanf("%d",&block);
if(block == 0){
u == 0x3000;
}
else if(block == 1){
u = 0x1000;
}
else if(block == 2){
u = 0x800;
}
else if(block == 3){
u = 0x800;
}
else if(block == 4){
u = 0x3000;
}
else if(block > 4 || block < 0){
printf("invalid block id, try using 0-4\n");
}
if(bank > 1 || bank < 0){
printf("invalid bank id, try using 0-1\n");
}
else if(bank <= 1 && bank >= 0 && block <= 4 && block >= 0){
printf(" [+] Dumping via icc_nvs_read with bank id:%d and block id:%d\n", bank, block);
for(h=0;h<u;h=h+0x10){
int64_t retz = ps4KernelCall(icc_nvs_read,bank, block, h, 0x10, buffed);
if(retz == -1)perror("icc_nvs_read");
else if (retz == 0){
send(sock,buffed,0x10,0);
}
}
}
/* Close sockets and free the mapped memory */
close(sock);
free(mem);
return EXIT_SUCCESS;
Download: ps4_syscon.tif (209 MB)
PS4 SysCon Renesas Image: PS4 SysCon Chip Optical EFD / EDF Stitch
To quote from @zecoxao in the Tweet above: It seems that PS4 syscon (PS4 Syscon Research & Development Repository) is a custom Renesas RL78/G13 (100 pin) and it looks like superslim is also one of those.
- PS4 SysGlitch Tool and SysCon Glitching Pinout by VVildCard777
- PS4 Syscon (System Controller) Guide (syscon-guide-main.zip) by @BwE of BetterWayElectronics.com.au
Thanks to both and @mcmrc1 and @toni1988 for the news tip in the PSXHAX Shoutbox!