Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 CFW and Hacks       Thread starter PSXHAX       Start date Jul 30, 2019 at 2:00 AM       20      
Status
Not open for further replies.
Tested on IDA 7.0-7.2 and geared towards PS4 scene devs who haven't jumped to GhidraPS4Loader / GhidraOrbisTools yet, today PlayStation 4 developer @SocraticBliss made available on Twitter a PS4 Module Loader for Userland Modules following his recent PS4 Kernel Loader updates. :love:

Download: ps4_module.py / ps4_module_loader-master.zip / GIT

And from the README.md to quote: PS4 Module Loader

SocraticBliss (R)

Major Thanks to...
  • aerosoul
  • balika011
  • Znullptr
  • Pablo (kozarovv)
  • ChendoChap
  • xyz
  • CelesteBlue
  • kiwidogg
  • motoharu
  • noname120
  • flatz
  • Team Reswitched
Extra Special Thanks for telling me my program sucks...
  • zecoxao
ps4_module.py: IDA loader for reading Sony PlayStation(R) 4 Module files

Installation

IDA 7.0 - 7.2

  1. Extract the IDA70-72.zip directory into your IDA directory (overwite the files when prompted)
IDA 7.5-7.7 (Requires Python 3.9)
  1. Extract the IDA75.zip directory into your IDA directory (overwite the files when prompted)
IDA 8.3
  1. I will eventually make a zip, just copy ps4_module.py and aerolib.csv to your loaders directory
Usage
  1. Load a PS4 Module file (.prx, .sprx, .elf, .self)
  2. Select the option ending with [ps4_module.py]
Spoiler: Depreciated

If you have any suggestions or ideas, please feel free to create pull requests!

To make the most out of this, we have to work together! :lovewins:

Download: patched_belf.zip (415.05 KB - patched balika elf loader that loads a xml with no lib entries addressed to it. and dynlib.xml converted from SocraticBliss's aerolib.csv)

NIDs Explained

What are they:


Function names, variables, etc, but obfuscated. Known as (N)ame(ID)entifiers.

How to get a nid from:

PSP


sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32

Warning: Some nids have to be manually guessed! From 3.70 at least. there is no solution to find the suffix (yet)

PSVita

sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32

Warning: Some nids have to be manually guessed! there is no solution to find the suffix (yet)
Warning2: nids like module_start, etc(NONAME) have suffix c1b886af5c31846467e7ba5e2cffd64a as key

PS3

sha1 hash of string of function name plus binary key 6759659904250490566427499489741A in hex,
grab first 4 bytes, endian swap 32

Warning: nids like module_start, etc (NONAME) have suffix bc5eba9e042504905b64274994d9c41f as binary key

PS4

sha1 hash of string of function name or variable plus binary key 518D64A635DED8C1E6B039B1C3E55230
grab first 8 bytes?, endian swap 64? and finally convert to sony's special base64
(i believe replace - with = for charset)

Bruteforcing:

Using custom hashcat.

Algos:
  • PS3, Python
    Code:
    import sys, os
    import struct
    from hashlib import sha1
    import hashlib
    from base64 import b64encode as base64enc
    from binascii import unhexlify as uhx
    
    #ref https://github.com/SocraticBliss/ps4_name2nid_plugin
    
    NEW_NIDS = {}
    AEROLIB  = 'nids.txt'
    NAMES   = 'ps3_names.txt'
    
    def name2nid(name):
        symbol = sha1(name.encode() + uhx(b'6759659904250490566427499489741A')).digest()
        nid = struct.unpack('<I', symbol[:4])[0]
        NEW_NIDS[nid]=name
    
    def save_nids(NIDS):
        csvFile=open(AEROLIB,"w")
        for nid, name in sorted(NIDS.items(), key=lambda x: x[1]):
            csvFile.writelines('0x%08X %s\n' % (nid, name))
        csvFile.close()
    
    
    
    f = open(NAMES,"r")
    for line in f.readlines():
        line = line.strip()
        name2nid(line)
    
    f.close()
    
    save_nids(NEW_NIDS)
  • PS4, Python
    Code:
    import sys, os
    import struct
    #from hashlib import sha1
    import hashlib
    from base64 import b64encode as base64enc
    from binascii import unhexlify as uhx
    
    #ref https://github.com/SocraticBliss/ps4_name2nid_plugin
    
    NEW_NIDS = {}
    AEROLIB  = 'aerolib.csv'
    NAMES   = 'ps4_names.txt'
    
    def name2nid(name):
        symbol = hashlib.sha1(name.encode() + uhx('518D64A635DED8C1E6B039B1C3E55230')).digest()
        id     = struct.unpack('<Q', symbol[:8])[0]
        nid    = base64enc(uhx('%016x' % id), b'+-').rstrip(b'=')
        NEW_NIDS[nid]=name
    
    def save_nids(NIDS):
        csvFile=open(AEROLIB,"w")
        for nid, name in sorted(NIDS.items(), key=lambda x: x[1]):
            csvFile.writelines('%s %s\n' % (str(nid,'utf-8'), name))
        csvFile.close()
    
    
    
    f = open(NAMES,"r")
    for line in f.readlines():
        line = line.strip()
        name2nid(line)
    
    f.close()
    
    save_nids(NEW_NIDS)
Good links:
user SocraticBliss has ported ps4_module_loader and ps4_kernel_loader to ida pro 8.3
PS4 Module Loader for IDA Userland Modules by SocraticBliss.jpg
 

Comments

As it clearly says, it's a kernel loader and not a kernel exploit. "What I need you to do is for you to climb out of my ass. Can you do that for me. Cause I would really appreciate it" ----- from all of the devs
 
More for developers/reversers, but its used to decompile/disassemble PS4 user module binaries, to get a better understanding of how the PS4 works at a higher level.

This isn't used directly to gain you a jailbreak, but can be a tool to help with that process.

Edit: Feel free to ask any more questions, I'll try to answer them as best as I can.
 
Status
Not open for further replies.
Back
Top