Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 CFW and Hacks       Thread starter PSXHAX       Start date Jun 18, 2020 at 2:04 AM       8      
Status
Not open for further replies.
Following his OrbisSWU: The PS4 Update Tool research, PlayStation 4 developer @theorywrong shared via Twitter the latest post on his blog at TheoryWrong.me including a PS4 NVS Args Extractor IDA Plugin script for use with IDA Interactive Disassembler to extract the arguments of the icc_nvs_read and icc_nvs_write non-volatile storage functions that manage the SFlash at the Switch Bank level. 🔥

For those interested in more IDA PS4 plug-ins, previously we've seen an IDC script to Populate the Kernel's Symbols, a PS4 NID to Function Name Resolver, an IDA Pro Plugin for PS4 User Mode ELFs, a PS4 BELF Loader, some PS4 Loader and IDA Script Ports, PS4 Kernel Loaders, a PS4 Userland Modules Loader, a PS4 Name 2 NID Plugin, a PS4 Kernel Fixup Script, a PS4 IOCTL Nabber Script alongside GetEventHandlerNames and DecryptedKernelLabelSyscalls scripts included in the PS4 Console Hacking Scripts Repository on Github. :geek:

💞 Feel free to support his ongoing PS4 development research via his Patreon Page, and here's a rough translation of his Latest Blog Article: IDA plugin: NVS Args Extractor

Hello !

A very small articles for you give a small script useful for IDA. It allows to extract the arguments of the functions icc_nvs_read and icc_nvs_write.

PS4 NVS Args Extractor IDA Plugin for Scene Devs by TheoryWrong.png

IDA view is from plugin output

Its functions manage the SFlash and therefore the Switch Bank of the PS4. Reversals can be of great help, but in view of the number of calls and the fact that analyzing several kernels can be interesting, I wrote a python plugin for its.
Code:
# NVS Read / Write arguments extractor - TheoryWrong
from idaapi import *
import idautils

start_address = 0
nvs_read = get_name_ea_simple("icc_nvs_read")
nvs_write = get_name_ea_simple("icc_nvs_write")

for s in idautils.Segments():
    start_address = s
    break;

print "start address 0x{:08x}".format(start_address)
print "nvs read 0x{:08x}".format(nvs_read)
print "nvs write 0x{:08x}".format(nvs_write)

for addr in XrefsTo(nvs_read, flags=0):
    current_address = addr.frm
    relative_address = current_address - start_address
    addr_minus_70 = current_address-70
    push_count = 0
    bank_id = -1
    offset = -1
    size = -1
    while current_address >= addr_minus_70:
        current_address = PrevHead(current_address)
        if GetMnem(current_address) == 'mov' and idc.GetOpnd(current_address, 0) == 'edi':
            bank_id = idc.GetOperandValue(current_address, 1)

        if GetMnem(current_address) == 'mov' and idc.GetOpnd(current_address, 0) == 'esi':
            offset = idc.GetOperandValue(current_address, 1)

        if GetMnem(current_address) == 'mov' and idc.GetOpnd(current_address, 0) == 'edx':
            size = idc.GetOperandValue(current_address, 1)

    print "XRef: {:s} Relative: {:s} Type: READ Bank id: {:d} Offset: {:s} Size: {:s}".format(hex(current_address), hex(relative_address), bank_id, hex(offset), hex(size))

for addr in XrefsTo(nvs_write, flags=0):
    current_address = addr.frm
    relative_address = current_address - start_address
    addr_minus_70 = current_address-70
    push_count = 0
    bank_id = -1
    offset = -1
    size = -1
    while current_address >= addr_minus_70:
        current_address = PrevHead(current_address)
        if GetMnem(current_address) == 'mov' and idc.GetOpnd(current_address, 0) == 'edi':
            bank_id = idc.GetOperandValue(current_address, 1)

        if GetMnem(current_address) == 'mov' and idc.GetOpnd(current_address, 0) == 'esi':
            offset = idc.GetOperandValue(current_address, 1)

        if GetMnem(current_address) == 'mov' and idc.GetOpnd(current_address, 0) == 'edx':
            size = idc.GetOperandValue(current_address, 1)

    print "XRef: {:s} Relative: {:s} Type: WRITE Bank id: {:d} Offset: {:s} Size: {:s}".format(hex(current_address), hex(relative_address), bank_id, hex(offset), hex(size))
For the used nothing more simple. Renamed the good function in icc_nvs_read and icc_nvs_write. Recorded the script and used it File > Script File. Tadaa 😉

The result on a kernel in 5.05: https://ghostbin.co/paste/rmvor
Code:
start address 0xffffffffd7378000
nvs read 0xffffffffd770d830
nvs write 0xffffffffd770d670
XRef: 0xffffffffd7380356L Relative: 0x83a1L Type: READ Bank id: 4 Offset: 0x20L Size: 0x1L
XRef: 0xffffffffd7381074L Relative: 0x90bbL Type: READ Bank id: 4 Offset: 0x20L Size: 0x1L
XRef: 0xffffffffd738113fL Relative: 0x9324L Type: READ Bank id: 4 Offset: 0x20L Size: 0x1L
XRef: 0xffffffffd738159cL Relative: 0x95e3L Type: READ Bank id: 4 Offset: 0xeL Size: 0x1L
XRef: 0xffffffffd73bdf9bL Relative: 0x45fe5L Type: READ Bank id: 2 Offset: 0x30L Size: 0x11L
XRef: 0xffffffffd73be23eL Relative: 0x4628bL Type: READ Bank id: 4 Offset: 0x100L Size: 0x100L
XRef: 0xffffffffd73d40b8L Relative: 0x5c101L Type: READ Bank id: 4 Offset: 0x100L Size: 0x100L
XRef: 0xffffffffd73f3d92L Relative: 0x7bdd9L Type: READ Bank id: 4 Offset: 0x50L Size: 0x1L
XRef: 0xffffffffd73f4674L Relative: 0x7c6bcL Type: READ Bank id: 4 Offset: 0x50L Size: 0x1L
XRef: 0xffffffffd746886dL Relative: 0xf08b4L Type: READ Bank id: 4 Offset: 0x322L Size: 0x1L
XRef: 0xffffffffd7468985L Relative: 0xf09ceL Type: READ Bank id: 4 Offset: 0x320L Size: 0x1L
XRef: 0xffffffffd74689a9L Relative: 0xf09f0L Type: READ Bank id: 4 Offset: 0x320L Size: 0x1L
XRef: 0xffffffffd74689ffL Relative: 0xf0a47L Type: READ Bank id: 4 Offset: 0x21L Size: 0x1L
XRef: 0xffffffffd7468d55L Relative: 0xf0d9cL Type: READ Bank id: 1 Offset: 0xa0L Size: 0x2L
XRef: 0xffffffffd7885883L Relative: 0x50d8ceL Type: READ Bank id: 4 Offset: 0x600L Size: 0x300L
XRef: 0xffffffffd78858aeL Relative: 0x50d8f6L Type: READ Bank id: 4 Offset: 0x600L Size: 0x300L
XRef: 0xffffffffd7885a3dL Relative: 0x50da86L Type: READ Bank id: 4 Offset: 0x1600L Size: 0x20L
XRef: 0xffffffffd7885a77L Relative: 0x50dac1L Type: READ Bank id: 4 Offset: 0x1600L Size: 0x20L
XRef: 0xffffffffd7909fb5L Relative: 0x591ffeL Type: READ Bank id: 4 Offset: 0x30L Size: 0x1L
XRef: 0xffffffffd790a25eL Relative: 0x5922a9L Type: READ Bank id: 1 Offset: 0x40L Size: 0x10L
XRef: 0xffffffffd793b394L Relative: 0x5c33ddL Type: READ Bank id: 4 Offset: 0x30L Size: 0x1L
XRef: 0xffffffffd79400c8L Relative: 0x5c8110L Type: READ Bank id: 4 Offset: 0x30L Size: 0xb0L
XRef: 0xffffffffd7940247L Relative: 0x5c828fL Type: READ Bank id: 4 Offset: 0x30L Size: 0x1L
XRef: 0xffffffffd794069dL Relative: 0x5c86e5L Type: READ Bank id: 4 Offset: 0x30L Size: 0x1L
XRef: 0xffffffffd79b06efL Relative: 0x638736L Type: READ Bank id: 4 Offset: 0x80L Size: 0x68L
XRef: 0xffffffffd79b0727L Relative: 0x638771L Type: READ Bank id: 4 Offset: 0x80L Size: 0x68L
XRef: 0xffffffffd79b09a7L Relative: 0x6389eeL Type: READ Bank id: 4 Offset: 0xc40L Size: 0x130L
XRef: 0xffffffffd79b119fL Relative: 0x6391e8L Type: READ Bank id: 4 Offset: 0xf0L Size: 0x10L
XRef: 0xffffffffd79b135aL Relative: 0x6393a3L Type: READ Bank id: 4 Offset: 0xf0L Size: 0x10L
XRef: 0xffffffffd79b17ffL Relative: 0x63984fL Type: READ Bank id: 4 Offset: 0x80L Size: 0x68L
XRef: 0xffffffffd79b1bbdL Relative: 0x639c06L Type: READ Bank id: 4 Offset: 0xf0L Size: 0x10L
XRef: 0xffffffffd79b1f5aL Relative: 0x639fa1L Type: READ Bank id: 4 Offset: 0x80L Size: 0x68L
XRef: 0xffffffffd79b1f74L Relative: 0x639fc0L Type: READ Bank id: 4 Offset: 0x80L Size: 0x68L
XRef: 0xffffffffd79b2104L Relative: 0x63a14eL Type: READ Bank id: 4 Offset: 0x80L Size: 0x68L
XRef: 0xffffffffd79b213fL Relative: 0x63a189L Type: READ Bank id: 4 Offset: 0x80L Size: 0x68L
XRef: 0xffffffffd79c0570L Relative: 0x6485b7L Type: READ Bank id: 4 Offset: -0x1 Size: -0x1
XRef: 0xffffffffd73803d2L Relative: 0x841bL Type: WRITE Bank id: 4 Offset: 0x20L Size: 0x1L
XRef: 0xffffffffd73810d8L Relative: 0x9122L Type: WRITE Bank id: 4 Offset: 0x20L Size: 0x1L
XRef: 0xffffffffd7381816L Relative: 0x985fL Type: WRITE Bank id: 1 Offset: 0x20L Size: 0x1L
XRef: 0xffffffffd73818f9L Relative: 0x9940L Type: WRITE Bank id: 4 Offset: 0x20L Size: 0x1L
XRef: 0xffffffffd738191fL Relative: 0x9969L Type: WRITE Bank id: 4 Offset: 0x20L Size: 0x1L
XRef: 0xffffffffd73d412bL Relative: 0x5c176L Type: WRITE Bank id: 4 Offset: 0x100L Size: 0x4L
XRef: 0xffffffffd73d4238L Relative: 0x5c280L Type: WRITE Bank id: 4 Offset: 0x100L Size: 0x100L
XRef: 0xffffffffd73f3fb5L Relative: 0x7bfffL Type: WRITE Bank id: 85196800 Offset: 0x50L Size: 0x8L
XRef: 0xffffffffd73f4707L Relative: 0x7c74fL Type: WRITE Bank id: 4 Offset: 0x50L Size: 0x1L
XRef: 0xffffffffd7468897L Relative: 0xf08deL Type: WRITE Bank id: 4 Offset: 0x322L Size: 0x1L
XRef: 0xffffffffd7468920L Relative: 0xf0967L Type: WRITE Bank id: 4 Offset: 0x320L Size: 0x1L
XRef: 0xffffffffd7468942L Relative: 0xf098aL Type: WRITE Bank id: 4 Offset: 0x320L Size: 0x1L
XRef: 0xffffffffd7468a7aL Relative: 0xf0ac1L Type: WRITE Bank id: 4 Offset: 0x21L Size: 0x1L
XRef: 0xffffffffd7885946L Relative: 0x50d98dL Type: WRITE Bank id: 4 Offset: 0xeL Size: 0x300L
XRef: 0xffffffffd788596eL Relative: 0x50d9b5L Type: WRITE Bank id: 4 Offset: 0x1000L Size: 0x300L
XRef: 0xffffffffd7885a5dL Relative: 0x50daa6L Type: WRITE Bank id: 4 Offset: 0x1600L Size: 0x20L
XRef: 0xffffffffd7885a97L Relative: 0x50dae1L Type: WRITE Bank id: 4 Offset: 0x1600L Size: 0x20L
XRef: 0xffffffffd790af19L Relative: 0x592f65L Type: WRITE Bank id: 4 Offset: 0x30L Size: 0x1L
XRef: 0xffffffffd7940772L Relative: 0x5c87bbL Type: WRITE Bank id: 4 Offset: 0x30L Size: 0x1L
XRef: 0xffffffffd79c0c24L Relative: 0x648c71L Type: WRITE Bank id: 4 Offset: -0x1 Size: 0x4L
XRef: 0xffffffffd79c0c40L Relative: 0x648c88L Type: WRITE Bank id: 4 Offset: -0x1 Size: 0x4L
XRef: 0xffffffffd79cc8adL Relative: 0x6548f8L Type: WRITE Bank id: 4 Offset: -0x1 Size: 0x20L
The script is easily editable for other style applications! Happy hacking! ^^
PS4 NVS Args Extractor IDA Plugin for Scene Devs by TheoryWrong.jpg
 

Comments

I have no idea what is this about , I'm just glad that there are some people who still give the PS4 scene some light it deserves and I hope we see some big news in the future
 
Status
Not open for further replies.
Back
Top