Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
Status
Not open for further replies.
Following the PS4 SysGlitch Tool and SysCon Glitching Pinout and his PS4 Unfself Tool, today PlayStation 4 developer @SocraticBliss is back with a PS4 Syscon Loader via Twitter tested with IDA 7.0-7.2 of the Interactive Disassembler for reading the PS4's System Controller full firmware files by scene devs. :geek:

Download: ps4_syscon_loader-master.zip / GIT / xorloser_ida_console_stuff_7.5.zip (4.0 MB - for Xbox 360 and PS3) by x0rloser (aka @xorloser on Twitter) / IDA_console_stuff_20210319.zip (4.24 MB) / GIT / prxldr_for_IDA_20210304_1442.zip (287 KB) / GIT / PS3 SecureTool.exe v2.16

Previously we've seen a PS4 Syscon System Controller Firmware Decrypter, some PS4 System Controller High-Res Images alongside PS4 APU Floor Plan High-Resolution Die Shots and a Colwick Repository for PS4 Syscon Research and Development... from the README.md: PS4 Syscon Loader

SocraticBliss (R)

Dedicated to zecoxao <3

Installation
  1. Place the ps4_syscon.py file in your IDA's loaders directory
Usage
  1. Load a PS4 Decrypted Syscon Full Firmware in IDA 32-bit
  2. Select the option ending with [ps4_syscon.py]
And from the ps4_syscon.py:
Code:
#!/usr/bin/env python
'''
PS4 Syscon Loader by SocraticBliss (R)
Dedicated to zecoxao <3
ps4_syscon_loader.py: IDA loader for reading Sony PlayStation(R) 4 Syscon Firmware files
'''

from idaapi import *
from idc import *

import idaapi as ida
import idc

# Load Processor Details...
def processor(processor):

    # Processor
    idc.set_processor_type(processor, SETPROC_LOADER)

    # Assembler
    idc.set_target_assembler(0x0)

    # Compiler
    idc.set_inf_attr(INF_COMPILER, COMP_GNU)

    # Loader Flags
    idc.set_inf_attr(INF_LFLAGS, LFLG_PC_FLAT | LFLG_COMPRESS)

    # Assume GCC3 names
    idc.set_inf_attr(INF_DEMNAMES, DEMNAM_GCC3)

    # Analysis Flags
    idc.set_inf_attr(INF_AF, 0xBFFFBFFF)

# Pablo's Function Search...
def function_search(mode, search, address = 0):

    while address < BADADDR:
        address = ida.find_binary(address, BADADDR, search, 0x10, SEARCH_DOWN)
        if address < BADADDR:
            address += mode
            ida.del_items(address, 0)
            ida.add_func(address, BADADDR)
            address += 1

# Load Segment Details...
def segment(f, start, end, name, type = 'DATA', perm = SEGPERM_MAXVAL):

    f.file2base(start, start, end, FILEREG_PATCHABLE)
    ida.add_segm(0x0, start, end, name, type, 0x0)

    # Processor Specific Segment Details
    idc.set_segm_addressing(start, 0x1)
    idc.set_segm_alignment(start, saAbs)
    idc.set_segm_combination(start, scPriv)
    idc.set_segm_attr(start, SEGATTR_PERM, perm)


# PROGRAM START

# Open File Dialog...
def accept_file(f, n):

    try:
        if not isinstance(n, (int, long)) or n == 0:
            return 'PS4 - Syscon Full Firmware' if f.read(4) == '\x80\x01\xFF\xFF' else 0

    except:
        pass

# Load Input Binary...
def load_file(f, neflags, format):

    print('# PS4 Syscon Loader')

    # PS4 Syscon Processor
    processor('rl78')

    # Boot Cluster 0
    print('# Creating Vector Table Area 0')
    segment(f, 0x0, 0x80, 'VTA0')

    for vec in xrange(0x40):
        ida.create_data(vec * 2, FF_WORD | FF_0OFF, 0x2, BADNODE)

    print('# Creating CALLT Table Area 0')
    segment(f, 0x80, 0xC0, 'CALLTTA0')

    print('# Creating Option Byte Area 0')
    segment(f, 0xC0, 0xC4, 'OBA0')

    print('# Creating On-chip Debug Security 0')
    segment(f, 0xC4, 0xCE, 'ODS0')

    print('# Creating Program Area 0')
    segment(f, 0xCE, 0x1000, 'PA0', 'CODE', SEGPERM_READ | SEGPERM_EXEC)

    # Boot Cluster 1
    print('# Creating Vector Table Area 1')
    segment(f, 0x1000, 0x1080, 'VTA1')

    for vec in xrange(0x40):
        ida.create_data(0x1000 + (vec * 2), FF_WORD | FF_0OFF, 0x2, BADNODE)

    print('# Creating CALLT Table Area 1')
    segment(f, 0x1080, 0x10C0, 'CALLTTA1')

    print('# Creating Option Byte Area 1')
    segment(f, 0x10C0, 0x10C4, 'OBA1')

    print('# Creating On-chip Debug Security 1')
    segment(f, 0x10C4, 0x10CE, 'ODS1')

    # ROM
    print('# Creating Program Area 1')
    segment(f, 0x10CE, 0x80000, 'PA1', 'CODE', SEGPERM_READ | SEGPERM_EXEC)

    # 0x80000 - 0xF0000 : Reserved

    print('# Creating Special Function Register 2')
    segment(f, 0xF0000, 0xF0800, 'SFR2')

    print('# Creating Reserved')
    segment(f, 0xF0800, 0xF1000, 'RES')

    # DATA
    print('# Creating Data')
    segment(f, 0xF1000, 0xF3000, 'DATA')

    print('# Creating Mirror')
    segment(f, 0xF3000, 0xF7F00, 'MIRROR')

    # RAM
    print('# Creating RAM')
    segment(f, 0xF7F00, 0xFFEE0, 'RAM')

    print('# Creating General-purpose Register')
    segment(f, 0xFFEE0, 0xFFF00, 'GR')

    print('# Creating Special Function Register')
    segment(f, 0xFFF00, 0x100000, 'SFR')

    print('# Search Function Start')
    function_search(1, 'D7 61 DD')
    function_search(1, 'FF C3 31 17')
    function_search(1, 'FB C3 31 17')
    function_search(1, 'FF 61 DD 8E FA')
    function_search(1, 'FF 61 DD C7')
    function_search(0, '61 DD C7')
    function_search(1, 'D7 C7 C3 C1')
    function_search(1, 'D7 C7 16')
    function_search(1, 'D7 30 02 00 C1')
    function_search(1, 'D7 C7 C1')
    function_search(1, 'D7 C7 88')
    function_search(1, 'D7 C7 20')
    function_search(1, 'D7 C7 41')
    function_search(1, 'D7 C7 36')
    function_search(1, '00 C7 C3 C1 FB')
    function_search(1, 'FF C7 57')
    function_search(2, '00 00 C7 C5 C1')
    function_search(1, '00 C5 C1')

    print('# Done!')
    return 1

# PROGRAM END
Finally, from the README.md: xorloser's IDA console stuff

(aka PS3 and Xbox360 support for IDA)

Currently made for the Windows version of IDA v7.5 sp3.

Please note that it is recommended to open the original SELF or XEX files directly without first converting them to ELFs or EXEs. This is because a SELF/XEX contains extra data not present in the ELF/EXE.

Install

To install, copy the directory structure inside the accompanying "IDA" folder into your IDA installation directory.

Plugin Notes

PlayStation 3 SELF/ELF loader (ps3.dll/ps364.dll)


Loads PS3 SELF files directly into IDA without requiring any preprocessing such as extraction or decryption. Attempts to utilise as much info as possible when setting up the disasm, automating various things like table setup, syscalls, module calls etc.

This will also load ELF files however it is recommended to load the original SELF file for best results as SELF files contain extra data that is not present in the ELF file.

This uses the user editable ps3.xml file for info on NIDs used to name imported and exported functions and variables.

SPU processor module (spu.dll/spu64.dll)

This package now contains my SPU processor module (spu.dll and spu64.dll).

If you install this alongside the official SPU module then IDA will choose to use one plugin or the other in a way that seems random. So it is recommended to only have one SPU module ready for use at one time. The way I do this is to add the ".bak" suffix to the filename of whichever module I don't want to use currently. For this reason my bundled SPU processor modules come with the ".bak" suffix already applied. So if you wish to use them instead of the official module then you should remove this suffix and then rename "spu.py" to "spu.py.bak".

I have not bothered to release this before since there is already a perfectly good SPU module bundled with IDA. I wrote my module before this "official SPU" support was added, and mainly kept it around since I had existing IDBs that relied on it.

PPC to C (PPC2C.dll/PPC2C64.dll)

This is not a decompiler! This is a plugin that attempts to make some of the tricky PPC instructions easier to understand. There are various versions of this plugin to be found on the Internet. So if you don't already have it, then use this version as a starting point.

This will add comments of C code that represent PPC instructions, such as:
Code:
bc  14, 4*cr7+eq, loc_800037A8 # if(cr7 is equal) goto loc_800037A8
clrlwi %r0, %r0, 31            # %r0 = %r0 & 1
rldicr %r10, %r10, 24,39       # %r10 = ((%r10 << 24) | (%r10 >> 40)) & 0xFFFFFFFFFF000000
rldicl %r4, %r4, 0,48          # %r4 = %r4 & 0xFFFF
An example of some lines you might want to add to plugins.cfg in IDA:
Code:
PPC_To_C:_Current_Line          PPC2C         F10      0 ; convert the current line to C
PPC_To_C:_Entire_Function       PPC2C         Ctrl-F10 1 ; convert the current function to C
PPC Helper (PPCHelper.dll/PPCHelper64.dll)

This is a very basic plugin that attempts to rename function args and stack variables so as to make your disasm job that little it easier. An example of some lines you might want to add to plugins.cfg in IDA:
Code:
PPC_Helper          PPCHelper         F10      0
For an example of what it does, look at the "SPU Helper" example below. It works in a similar fashion.

SPU Helper (SPUHelper.dll/SPUHelper64.dll)

Only works with my custom SPU module! This is a very basic plugin that attempts to rename function args and stack variables so as to make your disasm job that little it easier. An example of some lines you might want to add to plugins.cfg in IDA:
Code:
SPU_Helper          SPUHelper         F10      0
An example of what it does:

Before:
Code:
    # =============== S U B R O U T I N E =======================================
    func1_before:
    .equ var_50, -0x50
    .equ var_30, -0x30
    .equ var_20, -0x20
    .equ var_10, -0x10
    .equ arg_10,  0x10

    stqd    s0, var_10(sp)
    lr      s0, r3
    stqd    s1, var_20(sp)
    lr      s1, r5
    stqd    s2, var_30(sp)
    lr      s2, r4
    stqd    lr, arg_10(sp)
    stqd    sp, var_50(sp)
After:
Code:
    # =============== S U B R O U T I N E =======================================
    func1_after:
    .equ save_sp, -0x50
    .equ save_s2, -0x30
    .equ save_s1, -0x20
    .equ save_s0, -0x10
    .equ save_lr,  0x10

    arg0 = s0
    arg2 = s1
    arg1 = s2
    ret = r8

    stqd    arg0, save_s0(sp)
    lr      arg0, r3
    stqd    arg2, save_s1(sp)
    lr      arg2, r5
    stqd    arg1, save_s2(sp)
    lr      arg1, r4
    stqd    lr, save_lr(sp)
    stqd    sp, save_sp(sp)
Xbox360 XEX loader (xex.dll/xex64.dll)

Loads Xbox360 XEX files directly into IDA without requiring any preprocessing such as extraction or decryption. Attempts to utilise as much info as possible when setting up the disasm, automating various things like table setup, syscalls, module calls etc.

This uses the user editable Xbox360.xml file for info on IDs used to name imported and exported functions and variables.

History

In the event that I do any more updates of this package of files, the versions will be based on the date that the package was made available.

2021/03/19
  • Fixed PS3 symbol handling (hopefully didnt break it in other parts.
    Previously symbol offsets ('st_value's) were added to their section start address if the SELF file was for PPU. This has been changed so that symbol offsets ('st_value's) are added to their section start address if the SELF file is a PRX (ie relocatable).
2021/03/03

Contains some PS3 fixes after various people starting using them and reported issues back to me.
  • Fixed 32bit ELF symbol handling (present in SPU files with symbols)
  • Fixed custom handling of SPU ELF files where SELF extra data is missing.
  • Fixed support for the official SPU module with the PS3 SELF/ELF loader.
  • Added SPU module.
  • Added DWARF debug info auto-loading (usually only present in debug builds)
  • Added warning and suggestion to use SELF file if loading a badly preconverted ELF file.
2021/01/29

The first release in ages, mainly due to a friend asking for builds of these various plugins that would work with IDA v7.5 sp3.
PS4 Syscon Loader Python Script for System Controller Files by SocraticBliss.jpg
 

Comments

Status
Not open for further replies.
Back
Top