Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter Wultra       Start date Feb 18, 2018 at 6:46 PM       29      
Status
Not open for further replies.
# PS4Notify 4.05 + Source By Vultra

PS4Notify-master.zip / PS4Notify-master.zip (Mirror) / Github / PS4Notify 4.05 By Vultra.zip (16.79 KB - Compiled via mb2010) / PS4Notify_4.05_By_Vultra.zip (Mirror)

PS4 Notification Tool
Only Supports 4.05 OFW
Send Custom Notifications

Use PS4API Server Payload by Bisoon.
Send PS4API Payload in the /Payloads/ Folder using IDC or XVortex Exploit.

Enter PS4 IP in to PS4Notify
Connect & Attach The tool once success You can then send custom notifications.

# Credits

SpecterDEV - Code Execution And Kernel Exploit
Bisoon - PS4Lib & PS4API
CTurt - ***
& More
PS4 NOTIFIER TOOL 6.72 7.02 SEND CUSTOM NOTIFICATION very simple tool use any exploit host and load ps4debug connect tool (special thanks to TER1520)

Download: PS4-NOTIFY.rar (3.45 MB - includes PS4-NOTIFIER.exe)
Update: @oldschoolmodzhd (aka OLDSCHOOLMODZ) also added another PS4 Notify variant to his OSM-Made Github repository with details below, to quote: PS4-Notify

A different way of calling the notify function on the PS4 for homebrew development.

Download: PS4-Notify-main.zip / GIT

Calling the new Notify
Code:
void Notify(char* IconURI, char* MessageFMT, ...);
You can call the notify function like this using one of the default PS4 icons.
Code:
Notify("cxml://psnotification/tex_default_icon_notification", "Hello World");
You dont have to use one of the default PS4 icons though using a web url will work as well.
Code:
Notify("http://www.somewhere.com/SomeImage.png", "Hello World");
Some Icon URIs I have dumped

There is probably more than these but these I have tested and confirmed they do work.
Code:
cxml://psnotification/tex_icon_system               //PlayStation buttons
cxml://psnotification/tex_icon_ban                  //Circle with a slash
cxml://psnotification/tex_default_icon_notification //i in a chat bubble
cxml://psnotification/tex_device_headphone
cxml://psnotification/tex_device_headset
cxml://psnotification/tex_device_mic
cxml://psnotification/tex_device_move               //ps move controller
cxml://psnotification/tex_device_mouse
cxml://psnotification/tex_device_keyboard
cxml://psnotification/tex_default_icon_message
cxml://psnotification/tex_default_icon_trophy
cxml://psnotification/tex_default_icon_friend
cxml://psnotification/tex_default_icon_download
cxml://psnotification/tex_default_icon_cloud_client //ps now logo
cxml://psnotification/tex_default_icon_smaps        //bullhorn
cxml://psnotification/tex_default_icon_activity
cxml://psnotification/tex_icon_capture
cxml://psnotification/tex_icon_stop_rec
cxml://psnotification/tex_icon_start_rec
cxml://psnotification/tex_icon_loading
cxml://psnotification/tex_icon_live_prohibited
cxml://psnotification/tex_icon_live_start
cxml://psnotification/tex_icon_party
  • Shout out to OSM-Made for reversing the notifications
Download: sceSysUtil.c (sceSysUtils prototypes)
Download: payloads.zip (82.04 KB)
Download: payloads.zip (0.08 MB)
DAEMON testing
To quote from PS4 daemon writeup: How to run your own daemon

View the writeup here, as follows: DAEMON Writeup

Welcome to my writeup of how i found and implemented my own PS4 Daemon proc.
Finding how Daemons work on PS4

when i first began i noticed when you call this functions from a game
Code:
sceCommonDialogInitialize()
you actually spawn a daemon of CDLG type
Code:
[SceLncService] category={gdg} VRMode={0,0}
[SceLncService] hnm,psnf,pc,tk,ns={0,0,0,0,0} appBootMode={-1}
[SceLncService] appType={SCE_LNC_APP_TYPE_CDLG} [] appVer={00.00}
[SceLncService] Num. of logged-in users is 1
[SceLncService] spawnApp
[Syscore App] createApp NPXS22010

[SceShellCore] FMEM 143.2/ 243.4 NPXS22010 SceCdlgApp
but how? good question

The sub function in charge of spawning it is
Code:
sub_1020()
PS4 daemon proc writeup 1.png

which calls many other functions to check things but also does
Code:
sceLncUtilStartLaunchAppByTitleId("NPXS22010",....)
as you imagine i was thinking but how..

first things first finding the structs which it seems to use after looking in shellui i found them!
Code:
typedef struct _LncAppParam
{
	uint32_t size;
	int32_t user_id;
	int32_t app_attr;
	int32_t enable_crash_report;
	uint64_t check_flag;
}
LncAppParam;
just like sceSystemServiceLaunchApp these seem to have the same protos in the libSceSystemService module

PS4 daemon proc writeup 2.png

Code:
int (*sceSystemServiceLaunchApp)(const char* titleId, const char* argv[], LaunchAppParam* param);
int (*sceLncUtilStartLaunchAppByTitleId)(const char* titleId, const char* argv[], LaunchAppParam* param);
int (*sceLncUtilStartLaunchApp)(const char* titleId, const char* argv[], LaunchAppParam* param);
sceSystemServiceLaunchApp calls sceLncUtilStartLaunchApp which then calls the IPC iirc

after looking though other PS4 daemons i noticed they are all similar and use gdd as their sfo catagory and they are installed to
Code:
/system/vsh/app/TITLE_ID/
Next we have to copy all our daemon files including eboot which is signed with System/GL Auth (which makes them limited on memory and forces you to manually load all modules) via
Code:
make_fself.py --auth-info 010000000010003800000000001c004000ff00000000008000000000000000000000000000000000000000c000400040000000000000008000000000000000f00040ffff000000f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 cd.elf eboot.bin && copy eboot.bin I:\
so next i did the following after remount the System partition as RW via nmount
Code:
/system/vsh/app/NPXS20119/sce_sys/param.sfo -> /system/vsh/app/LMSS0001/sce_sys/param.sfo
eboot.bin -> /system/vsh/app/LMSS0001/eboot.bin
etc
but when i tried running my function i had gotten
Code:
SCE_LNC_UTIL_ERROR_NOT_INITIALIZED 0x80940001
which can also be found where the ps4 keeps a list of errors, so we need to first initialize it using

PS4 daemon proc writeup 3.png

Code:
int (*sceLncUtilInitialize)();
which i found by backtracing shellcore to
Code:
sceSystemServiceInitializeForShellCore()
now we can finally run our daemon as follows
Code:
     sys_dynlib_load_prx("/system/common/lib/libSceSystemService.sprx", &libcmi);

    int serres = sys_dynlib_dlsym(libcmi, "sceSystemServiceLaunchApp", &sceSystemServiceLaunchApp_pointer);
    if (!serres)
    {
                 klog("sceSystemServiceLaunchApp-pointer %p resolved from PRX\n", sceSystemServiceLaunchApp_pointer);

	sceLncUtilInitialize = (void*)(sceSystemServiceLaunchApp_pointer + 0x1110);

	klog("sceLncUtilInitialize %p resolved from PRX\n", sceLncUtilInitialize);
        sceLncUtilLaunchApp = (void*)(sceSystemServiceLaunchApp_pointer + 0x1130);

	klog("sceLncUtilLaunchApp %p resolved from PRX\n", sceLncUtilLaunchApp);

	if(!sceLncUtilInitialize || !sceLncUtilLaunchApp)
	printf("error\n");
								    
        OrbisUserServiceInitializeParams params;
	memset(&params, 0, sizeof(params));
	params.priority = 700;

	klog("ret %x\n", sceUserServiceInitialize(&params));

	OrbisUserServiceLoginUserIdList userIdList;

	klog("ret %x\n", sceUserServiceGetLoginUserIdList(&userIdList));

	for (int i = 0; i < 4; i++)
	{
		if (userIdList.userId[i] != 0xFF)
		{
		  klog("[%i] User ID 0x%x\n", i, userIdList.userId[i]);
		}
	}

	LncAppParam param;
	param.size = sizeof(LncAppParam);
	param.user_id = userIdList.userId[0];
	param.app_attr = 0;
	param.enable_crash_report = 0;
	param.check_flag = 0;

	klog("sceLncUtilInitialize %x\n", sceLncUtilInitialize());

       uint64_t l2 = sceLncUtilLaunchApp("LMSS00001", 0, &param);
and after all our work Success! iv successfully launched my own daemon, mine took awhile to make as i have a RPC Server that does A LOT
Code:
[SceLncService] launchApp(LMSS0001)
[SceLncService] category={gdd} VRMode={1,0}
[SceLncService] hnm,psnf,pc,tk,ns={0,0,0,0,0} appBootMode={-1}
[SceLncService] appType={SCE_LNC_APP_TYPE_DAEMON} [] appVer={00.00}
[SceLncService] Num. of logged-in users is 1
[SceLncService] spawnApp
[Syscore App] createApp LMSS0001
[DEBUG] Started Internal Module SCE_SYSMODULE_INTERNAL_SYSTEM_SERVICE
[DEBUG] Started Internal Module SCE_SYSMODULE_INTERNAL_USER_SERVICE
[DEBUG] Started Internal Module SCE_SYSMODULE_INTERNAL_NETCTL
[DEBUG] Started Internal Module SCE_SYSMODULE_INTERNAL_NET
[DEBUG] Started Internal Module SCE_SYSMODULE_INTERNAL_HTTP
[DEBUG] Started Internal Module SCE_SYSMODULE_INTERNAL_SSL
[DEBUG] Started Internal Module SCE_SYSMODULE_INTERNAL_SYS_CORE
[DEBUG] Started Internal Module 0x80000018
[DEBUG] Started Internal Module SCE_SYSMODULE_INTERNAL_NETCTL
[DEBUG] Starting System FTP Process on Port 999
Client list mutex UID: 0x802CD4E0
Server thread started!
Server thread UID: 0x812189C0
Server socket fd: 5
starting KLOG Thread on port 998
sceNetBind(): 0x00000000
sceNetListen(): 0x00000000
Waiting for incoming connections...
(Also works for Launching Game see the trailer for more info)
PS4Notify PS4 Notification Tool for 4.05 OFW by Vultra.jpg
 

Comments

Nah it’s not based off that, it’s using PS4Lib.dll to Connect to the Target PS4 after sending the PS4API Payload that’s provided in the Github. And Basically Just sends CustomsNotifications, There more updates coming to it but v0.01 is out for now x
 
By looking at the source it utilizes the sceSysUtilSendSystemNotification and sends the message type 222.

Nice work imo its handy to have if you are developing desktop pc apps that interact with the ps4.
 
@Timmy84 English ? this tool was developed to display Custom Notifications on any off the GUI, Example When you get the controller has been disconnected you can send a customnotify and it will display using that box

@himawbas did you get it working in the end and if not try a different Exploit like Specter

@netbies Work fine for you :? :)
 
Great release this is always good for RTE tools as well letting the person know tool has connected to the PS4. More and more each day the Developers on here are just killing it keep it up guys 2 thumbs way up :)
 
Status
Not open for further replies.
Back
Top