PS4 Module Loader for IDA Userland Modules by SocraticBliss

Tested on IDA 7.0-7.2 and geared towards PS4 scene devs who haven't jumped to GhidraPS4Loader / GhidraOrbisTools yet, today PlayStation 4 developer @SocraticBliss made available on Twitter a PS4 Module Loader for Userland Modules following his recent PS4 Kernel Loader updates.

Download: ps4_module.py / ps4_module_loader-master.zip / GIT

And from the README.md to quote: PS4 Module Loader

SocraticBliss (R)

Major Thanks to...

• aerosoul
• balika011
• Znullptr
• Pablo (kozarovv)
• ChendoChap
• xyz
• CelesteBlue
• kiwidogg
• motoharu
• noname120
• flatz
• Team Reswitched

Extra Special Thanks for telling me my program sucks...

• zecoxao

ps4_module.py: IDA loader for reading Sony PlayStation(R) 4 Module files

Installation

1. Extract the python directory into your IDA directory (overwite the files when prompted)
2. Place the ps4_module.py and aerolib.csv files in your IDA's loaders directory
3. Optional: Install the latest https://github.com/SocraticBliss/ps4_name2nid

Usage

1. Load a PS4 Module file (.prx, .sprx, .elf, .self)
2. Select the option ending with [ps4_module.py]

Spoiler: Depreciated
If you have any suggestions or ideas, please feel free to create pull requests!

To make the most out of this, we have to work together!

Download: patched_belf.zip (415.05 KB - patched balika elf loader that loads a xml with no lib entries addressed to it. and dynlib.xml converted from SocraticBliss's aerolib.csv)

NIDs Explained

What are they:

Function names, variables, etc, but obfuscated. Known as (N)ame(ID)entifiers.

How to get a nid from:

PSP

sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32

Warning: Some nids have to be manually guessed! From 3.70 at least. there is no solution to find the suffix (yet)

PSVita

sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32

Warning: Some nids have to be manually guessed! there is no solution to find the suffix (yet)
Warning2: nids like module_start, etc(NONAME) have suffix c1b886af5c31846467e7ba5e2cffd64a as key

PS3

sha1 hash of string of function name plus binary key 6759659904250490566427499489741A in hex,
grab first 4 bytes, endian swap 32

Warning: nids like module_start, etc (NONAME) have suffix bc5eba9e042504905b64274994d9c41f as binary key

PS4

sha1 hash of string of function name or variable plus binary key 518D64A635DED8C1E6B039B1C3E55230
grab first 8 bytes?, endian swap 64? and finally convert to sony's special base64
(i believe replace - with = for charset)

Bruteforcing:

Using custom hashcat.

Algos:

• PS3, Python
  

  import sys, os
  import struct
  from hashlib import sha1
  import hashlib
  from base64 import b64encode as base64enc
  from binascii import unhexlify as uhx
  
  #ref https://github.com/SocraticBliss/ps4_name2nid_plugin
  
  NEW_NIDS = {}
  AEROLIB  = 'nids.txt'
  NAMES   = 'ps3_names.txt'
  
  def name2nid(name):
      symbol = sha1(name.encode() + uhx(b'6759659904250490566427499489741A')).digest()
      nid = struct.unpack('<I', symbol[:4])[0]
      NEW_NIDS[nid]=name
  
  def save_nids(NIDS):
      csvFile=open(AEROLIB,"w")
      for nid, name in sorted(NIDS.items(), key=lambda x: x[1]):
          csvFile.writelines('0x%08X %s\n' % (nid, name))
      csvFile.close()
  
  
  
  f = open(NAMES,"r")
  for line in f.readlines():
      line = line.strip()
      name2nid(line)
  
  f.close()
  
  save_nids(NEW_NIDS)

• PS4, Python
  

  import sys, os
  import struct
  #from hashlib import sha1
  import hashlib
  from base64 import b64encode as base64enc
  from binascii import unhexlify as uhx
  
  #ref https://github.com/SocraticBliss/ps4_name2nid_plugin
  
  NEW_NIDS = {}
  AEROLIB  = 'aerolib.csv'
  NAMES   = 'ps4_names.txt'
  
  def name2nid(name):
      symbol = hashlib.sha1(name.encode() + uhx('518D64A635DED8C1E6B039B1C3E55230')).digest()
      id     = struct.unpack('<Q', symbol[:8])[0]
      nid    = base64enc(uhx('%016x' % id), b'+-').rstrip(b'=')
      NEW_NIDS[nid]=name
  
  def save_nids(NIDS):
      csvFile=open(AEROLIB,"w")
      for nid, name in sorted(NIDS.items(), key=lambda x: x[1]):
          csvFile.writelines('%s %s\n' % (str(nid,'utf-8'), name))
      csvFile.close()
  
  
  
  f = open(NAMES,"r")
  for line in f.readlines():
      line = line.strip()
      name2nid(line)
  
  f.close()
  
  save_nids(NEW_NIDS)

Good links:

• nidcracker (also excellent bruter but for psp)
• nid-explained
• ps4_module_loader (aerolib.csv)
• ps4libdoc
• Ps3GhidraScripts (nids.txt)
• vita-headers (db folder)

• Dependencies

 

[zainerockid]

The point from doing this?

 

[zondai]

The point is a ps4 module loader

 

[zia]

What does it do? Any video tutorial

 

[Gamerengg]

Is this tool use to jailbreak 6.XX ?!

 

[spotanjo3]

It doesn't explain clearly what it does. Explain ?

 

[Sanchant]

As it clearly says, it's a kernel loader and not a kernel exploit. "What I need you to do is for you to climb out of my ass. Can you do that for me. Cause I would really appreciate it" ----- from all of the devs

 

[SocraticBliss]

More for developers/reversers, but its used to decompile/disassemble PS4 user module binaries, to get a better understanding of how the PS4 works at a higher level.

This isn't used directly to gain you a jailbreak, but can be a tool to help with that process.

Edit: Feel free to ask any more questions, I'll try to answer them as best as I can.

 

[Gamerengg]

So it's refers to backward comapability and so on.. is it right @SocraticBliss

 

[SocraticBliss]

Think of it this way, it is a tool to "unpack/understand" the code that Sony writes, in order to make the PS4 work the way it does.