Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 CFW and Hacks       Thread starter PSXHAX       Start date Feb 24, 2017 at 9:28 PM       3      
Status
Not open for further replies.
Last weekend we saw GTA V Simple Mod Menu v1.0 for PS4 1.76 from PlayStation 4 developer @2much4u, and today he returns via Twitter with a PS4 GTA V Native Caller for use with CTurt's PS4 *** and perhaps Hitodama's PS4SDK with more details below. :thumbup:

Download: PS4-GTA-V-Native-Caller-master.zip / GIT / iw6_ds.rar (Ghosts Server .exe + .pdb - 11.16 MB) / iw_ps4_image.zip (Full Server Dump - 403.2 MB)

To quote from the README.md: PS4 GTA V Native Caller

A simple example of calling natives for GTA V using CTurt's PS4 ***.

Brief Explanation

Setting Up Execution

The payload first escalates privileges using the dlclose kernel exploit. The kernel payload also disables ASLR for newly created processes, making it much easier to modify them. Afterwards, the browser payload constantly checks the running processes waiting for one called eboot.bin. Once a game process is found, the syscall ptrace is used to read and write to it. With ASLR disabled, the EBOOT always starts at 0x400000 in memory.

The payload reads a few bytes from the EBOOT to verify that the game is GTA V and to detect the region. The payload makes 3 edits to the EBOOT. Luckily, the EBOOT's main executable memory page has about 0xE000 free bytes at its end. Two functions are copied into that free space: a standard main function, nativeHook, and another for calling natives by hash, invokeNative. The last edit hooks the IS_PLAYER_ONLINE native to call the recently copied main function. After this, the browser payload exits.

Executing Inside GTA V

Once executing within GTA V, a structure called gtaVars is declared in some more free memory to keep track of global variables as well as a native argument structure. In order to keep the source simple and easily manageable, all functions called from nativeHook, besides invokeNative, are always inline. This includes the native setup functions which copy the arguments into the native arguments structure in and then invoke the native by hash.

The native table has the same structure as on other platforms, making it easy to work with. The native hashes on PS4 GTA V 1.00 are also the same as the 1.00 native hashes on PC, meaning the documentation on NativeDB can be used. The majority of the code in nativeHook is filtered to only execute once a frame (IS_PLAYER_ONLINE is called multiple times a frame), in order to keep things smooth. This will be more important for any drawing.

Restrictions

Functions

As mentioned in the brief explanation, functions called from nativeHook must be always inline or it will crash. This is because when compiled, nativeHook will expect those functions to be at specific locations relative to itself. Once nativeHook is copied to a different location, those locations will be incorrect. The exceptions to this are functions inside the EBOOT that are declared in the payload by their address such as invokeNative and any additional functions that may be needed, such as snprintf.

Strings

Since nativeHook is copied to a different location, strings cannot be used inside it in the normal way. A simple way around this is to define them on the stack like:
Code:
char helloWorld[] = { 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x57, 0x6f, 0x72, 0x6c, 0x64, 0x0 };
Global Variables

Global variables have the same issue as strings. As previous mentioned, a good way to manage them is with a structure. However, there is not that much free space left at the address gtaVars and the native arg structure are declared at. For this reason, it is recommended to keep global variable usage to a minimum.

Space

0xE000 bytes will run out very quickly. Using inline functions and defining strings on the stack will cause the size of nativeHook to be quite large. For reference, the simple mod menu v1.0 needed about 0x3800 of those bytes.

Multiple Instances

Since the functions in this payload are copied into gta at a static address, multiple payloads cannot be run at the same time. They would just replace each other.

Miscellaneous Notes

Natives

Only a few natives are defined in natives.h, just copied the ones needed for the simple mod menu v1.0. Defining any more is easy enough.

Buttons

Button ID's for PS4 were different than last gen and PC so a simple mapping of them is included. Button_Tpad_X and Button_Tpad_Y can be used with the natives GET_CONTROL_VALUE and GET_CONTROL_NORMAL for touch pad input. Button_Tpad is just for if the touch pad is pressed.

Testing

Since this payload injects functions into EBOOT memory, different versions of the payload can be tested without having to restart GTA. This is a great difference from developing on last gen consoles.

Bugs & Closing Remarks

While developing the simple gta menu, I ran into numerous unexplained bugs that disappeared just as mysteriously. Expect that while developing with this. It will be an interesting experience. This is fairly simple way to go about modding a game, which has its disadvantages.

Credits
  • BadChoicesZ - Notifications code
  • ZiL0G80 - Disable process ASLR address
  • Zecoxao - Firmware version spoof address
  • kR105 - Dlclose exploit sample code
  • CTurt, flatz, SKFU, droogie, Xerpi, bigboss, Hunger, Takezo and Proxima - PS4 *** and background PS4 research making all this possible
  • Alexander Blade and NativeDB Contributors - Native research making GTA V stuff relatively easy to port to PS4
Also from SC58, to quote: The PDB is not for PS4 eboot itself, they are server files ran on PC and the ones that got leaked are PS3/Xbox360/XboxOne/PS4 (not for the EBOOT), there moreless all the same info in each one and you couldn't really use this to make ur own server (only for PC really), but it would be possible to make a payload to make a server for lan play online so 1.76 user with that payload if made could connect and play with one another but that would take a lot of work and crap to even be a thing (not worth my time to bother with).

If anyone want these who don't have them already (the full dump was a few gb but it's .ff and other stuff you don't really need)

Here is the full server file dump if anyone wants it (linked above). A lot of the struct and stuff is different to console as this is ran on the PC but a lot of the stuff is same to console.
Cheers to @raedoob for the news tip earlier today in the PSXHAX Shoutbox! (-8
PS4 GTA V Native Caller by 2much4u for Use with CTurt's PS4 ***.jpg
 

Comments

PS4 will never have a cfw at this rate you need all the keys sadly to crack those keys you would need a computer that is over 400,000 dollars #not worth it
 
It just keeps getting better! Thanks 2Much4U :)

I dont understand people some times?
We are having something close to a CFW then actually having a CFW.
There is so Much that We all can do
It just take's a little time and a whole lot of effort to do so and to be quite honest We just need a Higher OFW Kernel Exploit and People that are deep into making mod menus will simply adapt to the Newer Technique / Process
And to others its noting new just some simple adjustments on there Parts. 2Much4U just simply remove the veil and showed us all that it is all possible and its not just a mysterious video with no link to a file. Sadly to some people 2Much4U is just
Too MUCH FOR YOU. LOL :)
 
Status
Not open for further replies.
Back
Top