Remote PKG Installer Update by PS4 Scene Developer Flat_z

Proceeding his initial PS4 Remote Package Installer release, PlayStation 4 developer @flatz returns bringing an update to his Remote PKG Installer with the changes detailed below.

Download: remote_pkg_installer.pkg (4.1 MB) / remote_pkg_installer.pkg (Mirror) / RPI Controller.zip (161.09 KB) / ps4-exploit-host-win.x86-0.4.6b3.zip (4.99 MB) by @Al Azif via Twitter

To quote from flat_z's Tweets embedded below on the update: "Remote pkg installer update: added CORS header to interact with browser's ajax & deletion of temporary files in /data (last access date should be more than 3 days)"

"Up to date" with RPI installer using CORS headers. This version only uses HTML/JS, you must specify an external PKG list to list files as there's no server component (Line 47 rpi.js). Add the TMDB key, PS3 is same as PS4, to line 71 of rpi.js, to show PKG metadata automatically.

• https://ithaqua.thegate.network/themes/default/rpi.html

Device using this must be on same network or have port 12800 forwarded to your PS4
Corresponding selfhost- no need to add a pkg list, just stick pkgs in the pkg folder. Still need the key though. rpi.js is in themes/default folder. Make sure you update the RPI PKG and just visit http://yourexploitip/rpi
FPKG code have a bug that yields to game crash after suspend/resume cycle, so i've fixed it here:

//
// Name: Additional patches for fPKG
// Description: Prevents fPKG game crash during suspend/resume cycle
// Notes: offsets are given for 5.01 retail kernel
//

#define SIZEOF_SBL_KEY_SLOT_DESC 0x20

TYPE_BEGIN(struct sbl_key_slot_desc, SIZEOF_SBL_KEY_SLOT_DESC);
   TYPE_FIELD(uint32_t key_id, 0x00);
   TYPE_FIELD(uint32_t unk_0x04, 0x04);
   TYPE_FIELD(uint32_t key_handle, 0x08); /* or -1 if it's freed */
   TYPE_FIELD(uint32_t unk_0x0C, 0x0C);
   TYPE_FIELD(TAILQ_ENTRY(sbl_key_slot_desc) list, 0x10);
TYPE_END();
TAILQ_HEAD(sbl_key_slot_queue, sbl_key_slot_desc);

#define SIZEOF_SBL_KEY_RBTREE_ENTRY 0xA8 // sceSblKeymgrSetKey

TYPE_BEGIN(struct sbl_key_rbtree_entry, SIZEOF_SBL_KEY_RBTREE_ENTRY);
   TYPE_FIELD(uint32_t handle, 0x00);
   TYPE_FIELD(uint32_t occupied, 0x04);
   TYPE_FIELD(union sbl_key_desc desc, TYPE_SBL_KEY_RBTREE_ENTRY_DESC_OFFSET);
   TYPE_FIELD(uint32_t locked, TYPE_SBL_KEY_RBTREE_ENTRY_LOCKED_OFFSET);
   TYPE_FIELD(struct sbl_key_rbtree_entry* left, 0x88);
   TYPE_FIELD(struct sbl_key_rbtree_entry* right, 0x90);
   TYPE_FIELD(struct sbl_key_rbtree_entry* parent, 0x98);
   TYPE_FIELD(uint32_t set, 0xA0);
TYPE_END();

//...

DECLARE_VARIABLE(0x2744558, sbl_keymgr_key_rbtree, struct sbl_key_rbtree_entry**);
DECLARE_VARIABLE(0x2744548, sbl_keymgr_key_slots, struct sbl_key_slot_queue*);

DECLARE_VARIABLE(0x2748000, sbl_keymgr_buf_va, uint8_t*);
DECLARE_VARIABLE(0x2748800, sbl_keymgr_buf_gva, uint64_t*);

DECLARE_FUNCTION(0x623BE0, sceSblKeymgrSetKeyStorage, int, uint64_t key_gpu_va, unsigned int key_size, uint32_t key_id, uint32_t key_handle);

//...

static int sceSblKeymgrInvalidateKey___sx_xlock__hook(struct sx* sx, int opts, const char* file, int line) {
   struct sbl_key_rbtree_entry* key_desc;
   struct sbl_key_slot_desc* key_slot_desc;
   unsigned key_handle;
   int ret, ret2;

   ret = _sx_xlock(sx, opts, file, line);

   if (TAILQ_EMPTY(sbl_keymgr_key_slots))
       goto done;

   TAILQ_FOREACH(key_slot_desc, sbl_keymgr_key_slots, list) {
       key_handle = key_slot_desc->key_handle;
       if (key_handle == (unsigned int)-1) {
           /* unbounded */
           continue;
       }
       key_desc = sceSblKeymgrGetKey(key_handle);
       if (!key_desc) {
           /* shouldn't happen in normal situations */
           continue;
       }
       if (!key_desc->occupied) {
           continue;
       }
       if (key_desc->desc.pfs.obf_key_id != PFS_FAKE_OBF_KEY_ID) {
           /* not our key, just skip, so it will be handled by original code */
           continue;
       }
       if (key_desc->desc.pfs.key_size != sizeof(key_desc->desc.pfs.escrowed_key)) {
           /* something weird with key params, just ignore and app will just crash... */
           continue;
       }
       memcpy(sbl_keymgr_buf_va, key_desc->desc.pfs.escrowed_key, key_desc->desc.pfs.key_size);
       ret2 = sceSblKeymgrSetKeyStorage(*sbl_keymgr_buf_gva, key_desc->desc.pfs.key_size, key_desc->desc.pfs.obf_key_id, key_slot_desc->key_id);
       if (ret2) {
           /* wtf? */
           continue;
       }
   }

done:
   /* XXX: no need to call SX unlock because we'll jump to original code which expects SX is already locked */

   return ret;
}

//...

static void do_debug_pfs_patches(void) {
   //...
   INSTALL_CALL_HOOK(0x62E58D, sceSblKeymgrInvalidateKey___sx_xlock__hook);
   //...
}

Download: ps4-hen-vtx.bin (7.20 KB - 5.05 Test)

You should:

• Open a Game
  
• Long Press PS Button
  
• Go to Power Options
  
• Enter Rest Mode
  
• Wait 5 Minutes
  
• Press PS Button
  
• Do this 5 times at least

Download: ps4_remote_pkg_installer-master.zip (Remote Package Installer sources) / GIT / ps4_stub_lib_maker_v2-master.zip / GIT

Cheers to Leeful for the heads up on the news earlier today!

 

[bablest]

I'm just learning .js, but I'm wondering how either A. 'country' is evaluating to the serverip or B. Your regex is failing and 'xx' is ultimately being sent to loadFrame() (but then where is the string 'xx' being mangled into serverip?).

I'm new, but do you know of a good debug application for .js? Doesn't have to be fancy, just a eval, breakpoints and support for at least ECMA 5 would do.

The below looks sort of shady because if regex doesn't match, 'xx' is sent. Is there a identifier, property or something that can evaluate 'xx' this into a sane default value?

    country = 'xx'; // wouldn't something like the browsers default locale be better here?
    myRegexp = /^\/document\/([a-z]{2,5})\/ps4\/index.html$/;
    match = myRegexp.exec(location.pathname);  // What should be pathname at this time?
    if (match !== null) {
      country = match[1]; // What exactly is to be captured here?
    }
    cacheRedirect(country); // And if country still equates to 'xx'?

Dunno. With limited knowledge of .js, as it looks right now, I really don't see a obvious problem unless country == serverip (or whatever variable you named it). Somehow though it looks like serverip is being captured and sent to cacheRedirect().

In the above it appears I'm wrong (already). It appears country == country + '/' + serverip; (is the port part of serverip? The port isn't it's own variable right?).

I need to go to bed, but I just replaced this...

function cacheRedirect(country) {
loadFrame('/cache/redirect/' + country + '/index.html');
}

with this...

function cacheRedirect(country) {
loadFrame('/cache/redirect/en/index.html');
}

And I still get the same thing... which is...

http://manuals.playstation.net/cache/redirect/en/192.168.1.56:80

I'm too tired right now, I'll look elsewhere tomorrow.

 

[Al Azif]

@bablest

• I'm expecting it default to "xx" server side. If the value is "xx" it means it wasn't accessed from the user's guide as there is no "xx" region
  
• "location.pathname" evaluates to everything after the domain... basically everything after "http(s)://whatever.tld/"
  
• match[1] evaluates to the first captured group in "myRegex"
• If it's still "xx" then it's not the users guide

Maybe there's something in the callback functions. I'll keep looking.

 

[lotus78]

To be honest - I can't get it to work.

I start the RPI side on the PS4 and I see the PKGs in the PKG Folder of the Host Exploit. But I saw no picture from TMDB. (I inserted the TMDB Key sha1-hmac key for the DevWiki side - I hope this is the right one and for me it's also not clear, how to install the PKG - first start RPI PKG an the go the Exploit side (with RPI PKG in background) - or is there another procedure?

Maybe somebody will give me a hint...
thx

 

[bablest]

Well, the self host doesn't work for me either, but I only tried twice (as I really don't need it to work). I do have the same key in there as you but I didn't see no categories found. I just select the package and hit that go button and the selected item just disappears from the text box, but nothing ever happens when i put focus back on RPI.

I can get rpi to work with curl and I'm trying to get it to work in vanilla node.js (not sure if it needs to be a transform stream or what), but... I really don't know how RPI works in general.

I know it needs focus, but if you try to send a command to rpi when it is _NOT_ in focus, does the request hit the queue and wait until it (RPI) is back in focus? I figured that was how the self host option worked, but again, I only tried twice (and admittedly haven't done any research really outside of reading the news post here).

 

[ohcHIT]

tmdb works in the url add another 80 to the port of the ip address and see if your pic pops up..
example
192.168.x.x:8080/pkgs/
original
192.168.x.x:80/pkgs/
works for me

 

[lotus78]

@ohcHIT
thx for the hint - but it did not work for me - I think the reason may be something to do with the update blocker, because I also can not reach the example side from the DevWiki page...

http://tmdb.np.dl.playstation.net/tmdb/BLES01133_00_93EC11E04B137B433A9C867603E64660782A762E/BLES01133_00.xml

@bablest same situation for me..

at least - I also do not need this absolutly (I'm very satisfied with the windows RPI installer from user sonic) but I like to test and try new tools. So it's a little sad that we can't get a small instruction how to use this one - anyway - thx for developing...

 

[bablest]

ohcHIT's picture is basically the instructions (but a label to indicate the tmdb key would be nice).

Also, in that pic the local ip is filled in, and unless it is manually typed in, mine stays at the default 0.0.0.0. It seems something is really wrong with things in my particular case.

What is the server language being used with this? I'd like to run a DB on the server and configure which directory holds pkgs, but I'm not sure what is being used besides fakeDNS. I'd like to NOT use node.js as that is just more overhead.

 

[lotus78]

@bablest
If for you mean a pic is enough, then maybe you can tell us the whole process - for me it's not clear at all...

PS: you can edit the rpi.js that your IP address is filled out automatically

 

[ohcHIT]

1. Ps4-exploit-host-win.x86-0.4.6b3.zip (4.99 MB) by @Al Azif
2. Extract it to the desktop
3. Download hen 1.8 (Html)
4. Create a folder inside exploits (name it HEN 1.8) you can use VR or regular HEN 1.8
5. Place HEN 1.8 Html inside of the HEN 1.8 folder /exploits/HEN 1.8/index.html
6. Open settings dot jason (on debug change 1st line to true)
7. Open RPI dot js (paste the tmdb key from the dev wiki .. google is your friend) line 71
8. Put a pkg in the pkg folder (text reads put here)
9. Run exploit host exe
10. Open FireFox browser put in ip shown on host exe screen 192.168.x.x enter (watch debug scan exploit folder)
11. Go back to address bar and type ip again followed by /rpi (192.168.x.x/rpi (watch debug screen scan folder)
12. Click on pkg shown on rpi screen (it should load into the http url box)
13. Add a 80 to the port and the tmdb of the title id should show

Note: hit shift/control I for FireFox Dev screen (click network and see your requests)
hope this helps..

cheerZ

 

[bablest]

@ohcHIT
Wait, I thought this was to be ran off the ps4 solely. So this pushes the packages from your PC's web browser instead of using curl or whatever you choose? Well no wonder it didn't work.