Tested on IDA 7.0-7.2 and geared towards PS4 scene devs who haven't jumped to GhidraPS4Loader / GhidraOrbisTools yet, today PlayStation 4 developer @SocraticBliss made available on Twitter a PS4 Module Loader for Userland Modules following his recent PS4 Kernel Loader updates.
Download: ps4_module.py / ps4_module_loader-master.zip / GIT
And from the README.md to quote: PS4 Module Loader
SocraticBliss (R)
Major Thanks to...
Installation
IDA 7.0 - 7.2
If you have any suggestions or ideas, please feel free to create pull requests!
To make the most out of this, we have to work together!
Download: patched_belf.zip (415.05 KB - patched balika elf loader that loads a xml with no lib entries addressed to it. and dynlib.xml converted from SocraticBliss's aerolib.csv)
NIDs Explained
What are they:
Function names, variables, etc, but obfuscated. Known as (N)ame(ID)entifiers.
How to get a nid from:
PSP
sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32
Warning: Some nids have to be manually guessed! From 3.70 at least. there is no solution to find the suffix (yet)
PSVita
sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32
Warning: Some nids have to be manually guessed! there is no solution to find the suffix (yet)
Warning2: nids like module_start, etc(NONAME) have suffix c1b886af5c31846467e7ba5e2cffd64a as key
PS3
sha1 hash of string of function name plus binary key 6759659904250490566427499489741A in hex,
grab first 4 bytes, endian swap 32
Warning: nids like module_start, etc (NONAME) have suffix bc5eba9e042504905b64274994d9c41f as binary key
PS4
sha1 hash of string of function name or variable plus binary key 518D64A635DED8C1E6B039B1C3E55230
grab first 8 bytes?, endian swap 64? and finally convert to sony's special base64
(i believe replace - with = for charset)
Bruteforcing:
Using custom hashcat.
Algos:
Download: ps4_module.py / ps4_module_loader-master.zip / GIT
And from the README.md to quote: PS4 Module Loader
SocraticBliss (R)
Major Thanks to...
- aerosoul
- balika011
- Znullptr
- Pablo (kozarovv)
- ChendoChap
- xyz
- CelesteBlue
- kiwidogg
- motoharu
- noname120
- flatz
- Team Reswitched
- zecoxao
Installation
IDA 7.0 - 7.2
- Extract the IDA70-72.zip directory into your IDA directory (overwite the files when prompted)
- Extract the IDA75.zip directory into your IDA directory (overwite the files when prompted)
- I will eventually make a zip, just copy ps4_module.py and aerolib.csv to your loaders directory
- Load a PS4 Module file (.prx, .sprx, .elf, .self)
- Select the option ending with [ps4_module.py]
If you have any suggestions or ideas, please feel free to create pull requests!
To make the most out of this, we have to work together!
Download: patched_belf.zip (415.05 KB - patched balika elf loader that loads a xml with no lib entries addressed to it. and dynlib.xml converted from SocraticBliss's aerolib.csv)
NIDs Explained
What are they:
Function names, variables, etc, but obfuscated. Known as (N)ame(ID)entifiers.
How to get a nid from:
PSP
sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32
Warning: Some nids have to be manually guessed! From 3.70 at least. there is no solution to find the suffix (yet)
PSVita
sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32
Warning: Some nids have to be manually guessed! there is no solution to find the suffix (yet)
Warning2: nids like module_start, etc(NONAME) have suffix c1b886af5c31846467e7ba5e2cffd64a as key
PS3
sha1 hash of string of function name plus binary key 6759659904250490566427499489741A in hex,
grab first 4 bytes, endian swap 32
Warning: nids like module_start, etc (NONAME) have suffix bc5eba9e042504905b64274994d9c41f as binary key
PS4
sha1 hash of string of function name or variable plus binary key 518D64A635DED8C1E6B039B1C3E55230
grab first 8 bytes?, endian swap 64? and finally convert to sony's special base64
(i believe replace - with = for charset)
Bruteforcing:
Using custom hashcat.
Algos:
- PS3, Python
Code:import sys, os import struct from hashlib import sha1 import hashlib from base64 import b64encode as base64enc from binascii import unhexlify as uhx #ref https://github.com/SocraticBliss/ps4_name2nid_plugin NEW_NIDS = {} AEROLIB = 'nids.txt' NAMES = 'ps3_names.txt' def name2nid(name): symbol = sha1(name.encode() + uhx(b'6759659904250490566427499489741A')).digest() nid = struct.unpack('<I', symbol[:4])[0] NEW_NIDS[nid]=name def save_nids(NIDS): csvFile=open(AEROLIB,"w") for nid, name in sorted(NIDS.items(), key=lambda x: x[1]): csvFile.writelines('0x%08X %s\n' % (nid, name)) csvFile.close() f = open(NAMES,"r") for line in f.readlines(): line = line.strip() name2nid(line) f.close() save_nids(NEW_NIDS)
- PS4, Python
Code:import sys, os import struct #from hashlib import sha1 import hashlib from base64 import b64encode as base64enc from binascii import unhexlify as uhx #ref https://github.com/SocraticBliss/ps4_name2nid_plugin NEW_NIDS = {} AEROLIB = 'aerolib.csv' NAMES = 'ps4_names.txt' def name2nid(name): symbol = hashlib.sha1(name.encode() + uhx('518D64A635DED8C1E6B039B1C3E55230')).digest() id = struct.unpack('<Q', symbol[:8])[0] nid = base64enc(uhx('%016x' % id), b'+-').rstrip(b'=') NEW_NIDS[nid]=name def save_nids(NIDS): csvFile=open(AEROLIB,"w") for nid, name in sorted(NIDS.items(), key=lambda x: x[1]): csvFile.writelines('%s %s\n' % (str(nid,'utf-8'), name)) csvFile.close() f = open(NAMES,"r") for line in f.readlines(): line = line.strip() name2nid(line) f.close() save_nids(NEW_NIDS)
- nidcracker (also excellent bruter but for psp)
- nid-explained
- ps4_module_loader (aerolib.csv)
- ps4libdoc
- Ps3GhidraScripts (nids.txt)
- vita-headers (db folder)
- ps4_module_loader-master.zip / PS4 Module Loader GIT / ps4_kernel_loader-master.zip / PS4 Kernel Loader GIT