Over the weekend we covered some PS4Link news, and today PlayStation developer @zecoxao announced on Twitter that Peek and Poke support is now added to the PS4Link GIT alongside PS Vita kernel dumping to St4rk's VitaDump GIT with details below! 
Download: PS4Link VirtualMemQuery Sample via droogie / PS4Link GIT / VitaDump Support Dumping Kernel Modules via d3m3vilurr / VitaDump GIT /
kDump.skprx (74.25 KB) / pcff.7z (6.93 MB) / pcbc.7z (21.85 KB) / workdir.7z (47.25 KB) / vitadump.7z (207.24 KB) / VitaDump GIT (Zecoxao)
He also shared a Precompiled VitaDump kernel plugin tested on taiHENkaku Beta 4 which should dump kernel modules to ux0:/dump and with PS4 developers the NID for sceAppInstUtilAppInstallPkg: bpLyMf0oVwQ in response to @flatz's recent update.
Those who have been in the scene since at least the early PlayStation 3 days will recall Netkas and flukes1 first added Peek and Poke support to the PS3, which was then supported in countless PS3 Custom Firmware releases.
Here are some related Tweets:
NIDs Explained
What are they:
Function names, variables, etc, but obfuscated. Known as (N)ame(ID)entifiers.
How to get a nid from:
PSP
sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32
Warning: Some nids have to be manually guessed! From 3.70 at least. there is no solution to find the suffix (yet)
PSVita
sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32
Warning: Some nids have to be manually guessed! there is no solution to find the suffix (yet)
Warning2: nids like module_start, etc(NONAME) have suffix c1b886af5c31846467e7ba5e2cffd64a as key
PS3
sha1 hash of string of function name plus binary key 6759659904250490566427499489741A in hex,
grab first 4 bytes, endian swap 32
Warning: nids like module_start, etc (NONAME) have suffix bc5eba9e042504905b64274994d9c41f as binary key
PS4
sha1 hash of string of function name or variable plus binary key 518D64A635DED8C1E6B039B1C3E55230
grab first 8 bytes?, endian swap 64? and finally convert to sony's special base64
(i believe replace - with = for charset)
Bruteforcing:
Using custom hashcat.
Algos:
Download: PS4Link VirtualMemQuery Sample via droogie / PS4Link GIT / VitaDump Support Dumping Kernel Modules via d3m3vilurr / VitaDump GIT /
kDump.skprx (74.25 KB) / pcff.7z (6.93 MB) / pcbc.7z (21.85 KB) / workdir.7z (47.25 KB) / vitadump.7z (207.24 KB) / VitaDump GIT (Zecoxao)
He also shared a Precompiled VitaDump kernel plugin tested on taiHENkaku Beta 4 which should dump kernel modules to ux0:/dump and with PS4 developers the NID for sceAppInstUtilAppInstallPkg: bpLyMf0oVwQ in response to @flatz's recent update.
Those who have been in the scene since at least the early PlayStation 3 days will recall Netkas and flukes1 first added Peek and Poke support to the PS3, which was then supported in countless PS3 Custom Firmware releases.
Here are some related Tweets:
NIDs Explained
What are they:
Function names, variables, etc, but obfuscated. Known as (N)ame(ID)entifiers.
How to get a nid from:
PSP
sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32
Warning: Some nids have to be manually guessed! From 3.70 at least. there is no solution to find the suffix (yet)
PSVita
sha1 hash of string of function name or variable , grab first 4 bytes, endian swap 32
Warning: Some nids have to be manually guessed! there is no solution to find the suffix (yet)
Warning2: nids like module_start, etc(NONAME) have suffix c1b886af5c31846467e7ba5e2cffd64a as key
PS3
sha1 hash of string of function name plus binary key 6759659904250490566427499489741A in hex,
grab first 4 bytes, endian swap 32
Warning: nids like module_start, etc (NONAME) have suffix bc5eba9e042504905b64274994d9c41f as binary key
PS4
sha1 hash of string of function name or variable plus binary key 518D64A635DED8C1E6B039B1C3E55230
grab first 8 bytes?, endian swap 64? and finally convert to sony's special base64
(i believe replace - with = for charset)
Bruteforcing:
Using custom hashcat.
Algos:
- PS3, Python
Code:import sys, os import struct from hashlib import sha1 import hashlib from base64 import b64encode as base64enc from binascii import unhexlify as uhx #ref https://github.com/SocraticBliss/ps4_name2nid_plugin NEW_NIDS = {} AEROLIB = 'nids.txt' NAMES = 'ps3_names.txt' def name2nid(name): symbol = sha1(name.encode() + uhx(b'6759659904250490566427499489741A')).digest() nid = struct.unpack('<I', symbol[:4])[0] NEW_NIDS[nid]=name def save_nids(NIDS): csvFile=open(AEROLIB,"w") for nid, name in sorted(NIDS.items(), key=lambda x: x[1]): csvFile.writelines('0x%08X %s\n' % (nid, name)) csvFile.close() f = open(NAMES,"r") for line in f.readlines(): line = line.strip() name2nid(line) f.close() save_nids(NEW_NIDS) - PS4, Python
Code:import sys, os import struct #from hashlib import sha1 import hashlib from base64 import b64encode as base64enc from binascii import unhexlify as uhx #ref https://github.com/SocraticBliss/ps4_name2nid_plugin NEW_NIDS = {} AEROLIB = 'aerolib.csv' NAMES = 'ps4_names.txt' def name2nid(name): symbol = hashlib.sha1(name.encode() + uhx('518D64A635DED8C1E6B039B1C3E55230')).digest() id = struct.unpack('<Q', symbol[:8])[0] nid = base64enc(uhx('%016x' % id), b'+-').rstrip(b'=') NEW_NIDS[nid]=name def save_nids(NIDS): csvFile=open(AEROLIB,"w") for nid, name in sorted(NIDS.items(), key=lambda x: x[1]): csvFile.writelines('%s %s\n' % (str(nid,'utf-8'), name)) csvFile.close() f = open(NAMES,"r") for line in f.readlines(): line = line.strip() name2nid(line) f.close() save_nids(NEW_NIDS)
- nidcracker (also excellent bruter but for psp)
- nid-explained
- ps4_module_loader (aerolib.csv)
- ps4libdoc
- Ps3GhidraScripts (nids.txt)
- vita-headers (db folder)
