PS4 Module Loader for IDA Userland Modules by SocraticBliss

Tested on IDA 7.0-7.2 and geared towards PS4 scene devs who haven't jumped to GhidraPS4Loader / GhidraOrbisTools yet, today PlayStation 4 developer @SocraticBliss made available on Twitter a PS4 Module Loader for Userland Modules following his recent PS4 Kernel Loader updates.

Download: ps4_module.py / ps4_module_loader-master.zip / GIT

And from the README.md to quote: PS4 Module Loader

SocraticBliss (R)

Major Thanks to...

• aerosoul
• balika011
• Znullptr
• Pablo (kozarovv)
• ChendoChap
• xyz
• CelesteBlue
• kiwidogg
• motoharu
• noname120
• flatz
• Team Reswitched

Extra Special Thanks for telling me my program sucks...

• zecoxao

ps4_module.py: IDA loader for reading Sony PlayStation(R) 4 Module files

Installation

IDA 7.0 - 7.2

1. Extract the IDA70-72.zip directory into your IDA directory (overwite the files when prompted)

IDA 7.5-7.7 (Requires Python 3.9)

1. Extract the IDA75.zip directory into your IDA directory (overwite the files when prompted)

IDA 8.3

1. I will eventually make a zip, just copy ps4_module.py and aerolib.csv to your loaders directory

Usage

1. Load a PS4 Module file (.prx, .sprx, .elf, .self)
2. Select the option ending with [ps4_module.py]

Spoiler: Depreciated

If you have any suggestions or ideas, please feel free to create pull requests!

To make the most out of this, we have to work together!

Download: patched_belf.zip (415.05 KB - patched balika elf loader that loads a xml with no lib entries addressed to it. and dynlib.xml converted from SocraticBliss's aerolib.csv)

NIDs Explained

What are they:

Function names, variables, etc, but obfuscated. Known as (N)ame(ID)entifiers.

How to get a nid from:

PSP

sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32

Warning: Some nids have to be manually guessed! From 3.70 at least. there is no solution to find the suffix (yet)

PSVita

sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32

Warning: Some nids have to be manually guessed! there is no solution to find the suffix (yet)
Warning2: nids like module_start, etc(NONAME) have suffix c1b886af5c31846467e7ba5e2cffd64a as key

PS3

sha1 hash of string of function name plus binary key 6759659904250490566427499489741A in hex,
grab first 4 bytes, endian swap 32

Warning: nids like module_start, etc (NONAME) have suffix bc5eba9e042504905b64274994d9c41f as binary key

PS4

sha1 hash of string of function name or variable plus binary key 518D64A635DED8C1E6B039B1C3E55230
grab first 8 bytes?, endian swap 64? and finally convert to sony's special base64
(i believe replace - with = for charset)

Bruteforcing:

Using custom hashcat.

Algos:

• PS3, Python
  

  import sys, os
  import struct
  from hashlib import sha1
  import hashlib
  from base64 import b64encode as base64enc
  from binascii import unhexlify as uhx
  
  #ref https://github.com/SocraticBliss/ps4_name2nid_plugin
  
  NEW_NIDS = {}
  AEROLIB  = 'nids.txt'
  NAMES   = 'ps3_names.txt'
  
  def name2nid(name):
      symbol = sha1(name.encode() + uhx(b'6759659904250490566427499489741A')).digest()
      nid = struct.unpack('<I', symbol[:4])[0]
      NEW_NIDS[nid]=name
  
  def save_nids(NIDS):
      csvFile=open(AEROLIB,"w")
      for nid, name in sorted(NIDS.items(), key=lambda x: x[1]):
          csvFile.writelines('0x%08X %s\n' % (nid, name))
      csvFile.close()
  
  
  
  f = open(NAMES,"r")
  for line in f.readlines():
      line = line.strip()
      name2nid(line)
  
  f.close()
  
  save_nids(NEW_NIDS)

• PS4, Python
  

  import sys, os
  import struct
  #from hashlib import sha1
  import hashlib
  from base64 import b64encode as base64enc
  from binascii import unhexlify as uhx
  
  #ref https://github.com/SocraticBliss/ps4_name2nid_plugin
  
  NEW_NIDS = {}
  AEROLIB  = 'aerolib.csv'
  NAMES   = 'ps4_names.txt'
  
  def name2nid(name):
      symbol = hashlib.sha1(name.encode() + uhx('518D64A635DED8C1E6B039B1C3E55230')).digest()
      id     = struct.unpack('<Q', symbol[:8])[0]
      nid    = base64enc(uhx('%016x' % id), b'+-').rstrip(b'=')
      NEW_NIDS[nid]=name
  
  def save_nids(NIDS):
      csvFile=open(AEROLIB,"w")
      for nid, name in sorted(NIDS.items(), key=lambda x: x[1]):
          csvFile.writelines('%s %s\n' % (str(nid,'utf-8'), name))
      csvFile.close()
  
  
  
  f = open(NAMES,"r")
  for line in f.readlines():
      line = line.strip()
      name2nid(line)
  
  f.close()
  
  save_nids(NEW_NIDS)

Good links:

• nidcracker (also excellent bruter but for psp)
• nid-explained
• ps4_module_loader (aerolib.csv)
• ps4libdoc
• Ps3GhidraScripts (nids.txt)
• vita-headers (db folder)

• Dependencies

user SocraticBliss has ported ps4_module_loader and ps4_kernel_loader to ida pro 8.3

• ps4_module_loader-master.zip / PS4 Module Loader GIT / ps4_kernel_loader-master.zip / PS4 Kernel Loader GIT

 

[zainerockid]

Nice, to be honest, I really like to see a tutorial on how PS4 works and knowing more about binaries, and why we can't jailbreak PS4 again?

 

[James92]

The devs dont owe nothing to these whiners who are always expecting something they always want things handed to their hands ... or if not get a job and buy some games on the PlayStation network store

 

[turrinha]

Good afternoon friends, thanks for the explanation.

 

[Gwyn]

@Sanchant I love how you think that just because you know some devs or friends of friends of devs you are at the top of the food chain.

Yes I know, your going to give the typical "I never said that" worn out self defence cliche that everyone loves giving when they are being called out and they know it. If you have nothing to say but attack people, just don't say it.

 

[zia]

it means @SocraticBliss is the next dev helping with exploit research hurayyyy

 

[TarTacular]

Thank You for the tools.

 

[mukasange]

does this homebrew can make us play game 5.05 higher if not blah I don't use it

 

[vampula]

At least someone is doing anything on this scene, jees....

Thanks for your work, dude

 

[Synderella]

Gotta be honest guys, I agree with zecoxao this time

 

[Buckler]

Cool Stuff