Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Mar 23, 2018 at 4:12 PM       19,574       23            
Following his PS4 Serial / Flash Pinouts, PlayStation 4 scene developer @xorloser announced on Twitter that he's added PS4 Wifi / Bluetooth Firmware reversing h4x v1.0 to Github with details and the related Tweets below. :geek:

Download: ps4_wifi_bt-master.zip / GIT

To quote from the README.md: PS4 wifi/bluetooth firmware reversing h4x

v1.0 xorloser march 2018

Overview

The PS4 uses a hardware module codenamed torus for its wifi and bluetooth. Currently there are two different versions of this; the older torus1 and the newer torus2.

The torus firmwares are stored in plaintext on the PS4's flash. The PS4 loads them into the hardware module.

This is not going to lead to some magical hack of the PS4, its just fun to poke around inside it to see what it does.

Torus1

The older torus1 is based around the Marvell Avastar 88W8797 SoC. It supports up to wifi n. This SoC has a Marvell Feroceon CPU (ARMv5TE-compliant) inside it. Check this pdf for more specs: marvell_avastar_88w8797.pdf.

PS4 Wifi  Bluetooth Firmware Reversing H4x v1.0 by Xorloser.jpg

Torus2
The newer torus2 is based around the Marvell Avastar 88W8897 SoC. This updated SoC adds wifi ac. It is used in PS4 Pro consoles and probably PS4 slim since I see that PS4 Slim supports wifi ac. Check this pdf for more specs: marvell-wireless-88w8897-product-brief-2018-10.pdf

Apparently this SoC also inside the XboxOne :)

Firmware files

The torus firmware files are stored in plaintext in the PS4 flash. You can parse the flash partitions and filesystems to find it stored as the filename "C0020001". Or if you have a flashdump just search for the string "C0020001" in it. The size of the firmware is a 32bit value stored 0xC bytes before the "C0020001" filename. The firmware data will be stored 0x1D0 bytes after the "C0020001" filename.

The following bytes that show the start of the torus1 firmware: 01 00 00 00 00 00 00 00 00 04 00 00 The following bytes that show the start of the torus2 firmware: 50 4B 03 04 14 00 08 00 08 00

The firmware can also be found inside the PS4UPDATE.PUP update files. The PS4UPDATE.PUP files internally contain multiple PS4UPDATEx.PUP entries. The torus firmwares are inside PS4UPDATE1.PUP and can found from their pkg ids: 0x003 == torus1_fw.bin 0x022 == torus2_fw.zip

Note that newer firmwares will include both the torus1 and torus2 fws, so there will be two "C0020001" files.

Reversing the torus FW files

The first step is to convert the firmware file into an elf file by running fw_to_elf.py. This makes it easier to access the firmware contents with various tools that support the common elf file format.

fw_to_elf.py torus1_fw.bin torus1.elf

or

fw_to_elf.py torus2_fw.zip torus2a.elf torus2b.elf

Note that torus2 firmwares internally have 2 sets of data. I am not sure why at this point. So converting torus2 firmwares will resulting in 2 elf files, whereas converting torus1 firmwares will result in 1 elf file.

The next step is to disassemble the elf files using whatever tools you normally use to reverse arm/thumb binaries. If you use IDA v7 then you can use the "ida_fw_setup.py" script I made to perform the data init routines that unpack, copy and clears data in various ram locations. This is quite important for torus1 fws to unpack packed data, however for torus2 fws it seems to just zero out certain ram areas, probably bss areas.

Load the elf into IDA. It should detect as ARM little endian. On the initial load screen you might want to do: Processor options -> Edit ARM architecture options -> tick ARMv5TEJ and then Kernel options 1 -> untick Create function tails

Now you can run the script by doing: File -> Script file... and then selecting "ida_fw_setup.py".

Wait a few seconds for it to complete and then you are ready to explore :)

Links
History

v1.0
  • Initial version
Also today from zecoxao comes an ARZL_decompress utility, who states the following to quote:

Download: ARZL_decompress.exe (29.50 KB)

"This executable decompresses ARZL binaries for the ps4, like the compressed eap kernel. This SHOULD also work on vita but i'm not sure about it."

 

Comments

Recent Articles
PlayStation Store Flash Sale Offers Up to 75% Off PSN Games
Summer is heating up with record high temperatures and some hot PSN deals on select PlayStation Store titles featuring PS4, PS3 and PS Vita games in the mix! ☀ 🔥 🥵 🍹 Below is the full lineup of...
The Diamond Casino & Resort Hits GTA Online on PS4 July 23rd
Proceeding the opening of the GTA Online PS4 After Hours Nightclub and GTA V PS4 Glitches discovered, today RockStar announced that the Diamond Casino & Resort grand opening will be on July 23rd...
Dishonored: Definitive Edition 60 FPS Mod PS4 PKG by Wastelander121
Following their Batman: Arkham Knight Free Roam Mod Menu port, today @Wastelander121 (YouTube Channel) released on Twitter a Dishonored: Definitive Edition 60 FPS Mod PS4 PKG (CUSA-02230) for...
PS4 System Software / Firmware 6.72 Released, Don't Update!
Just over a month ago Sony released a PS4 OFW 6.71 Update followed by a few 6.80 Beta Updates for those in their PlayStation Preview Program, and today another PS4 System Software / Firmware 6.72...
Top