Category PS4 CFW and Hacks       Thread starter PSXHAX       Start date Feb 28, 2019 at 8:22 AM       8,380       23            
Previously we've seen guides on How to Obtain Your PS4 SFlash alongside some example file dumps, and today developer @zecoxao shared on Twitter SFlash0Unpack which is a script to unpack sflash0 files from PS4 flash dumps for PlayStation 4 scene devs to examine.

Download: sflash0unpack-master.zip / GIT / ps4_sflash0_pack_tool.py / GIT

Below is main.c from Github followed by the makefile, with a Python version of the PS4 Sflash0 Pack Tool from @SocraticBliss (Twitter) on Github for those interested and also a extractor.pl Perl version from BwE! :ninja:

Main.c:
Code:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <inttypes.h>
#include <sys/stat.h>

/*
   0x0 <- Header (0x1000)
   0x1000 <- Unk (0x1000)
   0x2000 <- MBR1 (0x1000) (for sflash0s1.cryptx3b)
   0x3000 <- MBR2 (0x1000) (for sflash0s1.cryptx3)
   0x4000 <- sflash0s0x32b (emc_ipl) (0x60000)
   0x64000 <- sflash0s0x32 (emc_ipl) (0x60000)
   0xC4000 <- sflash0s0x33 (eap_kbl) (0x80000)
   0x144000 <- sflash0s0x34 (wifi fw) (0x80000)
   0x1C4000 <- sflash0s0x38 (nvs) (0xC000)
   0x1D0000 <- sflash0s0x0 (blank1) (0x30000)
   0x200000 <- Header2 (0x1000)
   0x201000 <- Unk 2(0x1000)
   0x202000 <- MBR3(0x1000) (for sflash0s1.cryptx2b)
   0x203000 <- MBR4(0x1000) (for sflash0s1.cryptx2)
   0x204000 <- sflash0s1.cryptx2b (sam_ipl/secure loader) (0x3E000)
   0x242000 <- sflash0s1.cryptx2 (sam_ipl/secure loader) (0x3E000)
   0x280000 <- sflash0s1.cryptx1 (idata) (0x80000)
   0x300000 <- sflash0s1.cryptx39 (bd_hrl?) (0x80000)
   0x380000 <- sflash0s1.cryptx6 (Virtual TRM) (0x40000)
   0x3C0000 <- sflash0s1.cryptx3b (secure kernel, secure modules) (0xCC0000)
   0x1080000 <- sflash0s1.cryptx3 (secure kernel, secure modules) (0xCC0000)
   0x1D40000 <- sflash0s1.cryptx40 (blank2) (0x2C0000)
*/

typedef struct
{
   unsigned char header[0x1000];
   unsigned char unk[0x1000];
   unsigned char mbr1[0x1000];
   unsigned char mbr2[0x1000];
   unsigned char emc_iplb[0x60000];
   unsigned char emc_ipl[0x60000];
   unsigned char eap_kbl[0x80000];
   unsigned char wifi_fw[0x80000];
   unsigned char nvs[0xC000];
   unsigned char blank[0x30000];
   unsigned char header2[0x1000];
   unsigned char unk2[0x1000];
   unsigned char mbr3[0x1000];
   unsigned char mbr4[0x1000];
   unsigned char sam_iplb[0x3E000];
   unsigned char sam_ipl[0x3E000];
   unsigned char idata[0x80000];
   unsigned char bd_hrl[0x80000];
   unsigned char vtrm[0x40000];
   unsigned char secureb[0xCC0000];
   unsigned char secure[0xCC0000];
   unsigned char blank2[0x2C0000];
} SFLASH0;

int main(int argc, char **argv){
 
   if(argc != 3){
       printf ("\nusage: sflash0unpack [sflash0] [outdir]  \n");
       return -1;
   }
 
   unsigned char out[256];
 
   mkdir(argv[2],0777);
 
   FILE *fp = fopen(argv[1],"rb");
 
   unsigned char *buf = (unsigned char*) malloc (0x2000000);
 
   fread(buf,0x2000000,1,fp);
 
   SFLASH0* entries = (SFLASH0*)buf;
 
   sprintf(out,"%s/header.bin",argv[2]);
 
   FILE *fl = fopen(out,"wb");
 
   fwrite(entries->header,sizeof(entries->header),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/emc_ipl.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->emc_ipl,sizeof(entries->emc_ipl),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/emc_iplb.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->emc_iplb,sizeof(entries->emc_iplb),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/eap_kbl.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->eap_kbl,sizeof(entries->eap_kbl),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/wifi_fw.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->wifi_fw,sizeof(entries->wifi_fw),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/sam_ipl.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->sam_ipl,sizeof(entries->sam_ipl),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/sam_iplb.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->sam_iplb,sizeof(entries->sam_iplb),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/idata.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->idata,sizeof(entries->idata),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/bd_hrl.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->bd_hrl,sizeof(entries->bd_hrl),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/vtrm.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->vtrm,sizeof(entries->vtrm),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/secure.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->secure,sizeof(entries->secure),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/secureb.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->secureb,sizeof(entries->secureb),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/blank.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->blank,sizeof(entries->blank),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/nvs.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->nvs,sizeof(entries->nvs),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/unk.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->unk,sizeof(entries->unk),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/mbr1.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->mbr1,sizeof(entries->mbr1),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/mbr2.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->mbr2,sizeof(entries->mbr2),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/unk2.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->unk2,sizeof(entries->unk2),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/mbr3.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->mbr3,sizeof(entries->mbr3),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/mbr4.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->mbr4,sizeof(entries->mbr4),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/header2.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->header2,sizeof(entries->header2),1,fl);
 
   fclose(fl);
 
   sprintf(out,"%s/blank2.bin",argv[2]);
 
   fl = fopen(out,"wb");
 
   fwrite(entries->blank2,sizeof(entries->blank2),1,fl);
 
   fclose(fl);
 
   fclose(fp);
 
 
   return 0;
}
:idea: To find out (and document) the minimum version of your PS4, download with ftp buf 0x200 payload the file /dev/sflash0s1.cryptx1 (size 512KB) at 0x10008 you can find the minver (endian swapped) next to the SMI header
ps4_sflash0_pack_tool.py
Code:
# PS4 Sflash0 Pack Tool
# SocraticBliss (R)
# Thanks to zecoxao <3

import os
import sys

'''
   Offsets
 
   0x0       <- Header (0x1000)
   0x1000    <- Unk    (0x1000)
   0x2000    <- MBR1   (for sflash0s1.cryptx3b) (0x1000)
   0x3000    <- MBR2   (for sflash0s1.cryptx3) (0x1000)
   0x4000    <- sflash0s0x32b (emc_ipl) (0x60000)
   0x64000   <- sflash0s0x32  (emc_ipl) (0x60000)
   0xC4000   <- sflash0s0x33  (eap_kbl) (0x80000)
   0x144000  <- sflash0s0x34  (wifi fw) (0x80000)
   0x1C4000  <- sflash0s0x38  (nvs) (0xC000)
   0x1D0000  <- sflash0s0x0   (blank) (0x30000)
   0x200000  <- Header2 (0x1000)
   0x201000  <- Unk2    (0x1000)
   0x202000  <- MBR3    (for sflash0s1.cryptx2b) (0x1000)
   0x203000  <- MBR4    (for sflash0s1.cryptx2) (0x1000)
   0x204000  <- sflash0s1.cryptx2b (sam_ipl/secure loader) (0x3E000)
   0x242000  <- sflash0s1.cryptx2  (sam_ipl/secure loader) (0x3E000)
   0x280000  <- sflash0s1.cryptx1  (idata) (0x80000)
   0x300000  <- sflash0s1.cryptx39 (bd_hrl?) (0x80000)
   0x380000  <- sflash0s1.cryptx6  (Virtual TRM) (0x40000)
   0x3C0000  <- sflash0s1.cryptx3b (secure kernel, secure modules) (0xCC0000)
   0x1080000 <- sflash0s1.cryptx3  (secure kernel, secure modules) (0xCC0000)
   0x1D40000 <- sflash0s1.cryptx40 (blank2) (0x2C0000)
'''

SFLASH0 = [
   ('header.bin',   0x0,       0x1000),
   ('unknown.bin',  0x1000,    0x1000),
   ('mbr1.bin',     0x2000,    0x1000),
   ('mbr2.bin',     0x3000,    0x1000),
   ('emc_iplb.bin', 0x4000,    0x60000),
   ('emc_ipl.bin',  0x64000,   0x60000),
   ('eap_kbl.bin',  0xC4000,   0x80000),
   ('wifi_fw.bin',  0x144000,  0x80000),
   ('nvs.bin',      0x1C4000,  0xC000),
   ('blank.bin',    0x1D0000,  0x30000),
   ('header2.bin',  0x200000,  0x1000),
   ('unknown2.bin', 0x201000,  0x1000),
   ('mbr3.bin',     0x202000,  0x1000),
   ('mbr4.bin',     0x203000,  0x1000),
   ('sam_iplb.bin', 0x204000,  0x3E000),
   ('sam_ipl.bin',  0x242000,  0x3E000),
   ('idata.bin',    0x280000,  0x80000),
   ('bd_hrl.bin',   0x300000,  0x80000),
   ('vtrm.bin',     0x380000,  0x40000),
   ('secureb.bin',  0x3C0000,  0xCC0000),
   ('secure.bin',   0x1080000, 0xCC0000),
   ('blank2.bin',   0x1D40000, 0x2C0000),
]

# Unpack entries from a Sflash0 binary...
def unpack(file, dir):

   with open(file, 'rb') as input:
       sflash0 = input.read()
 
       # Validate input file...
       if sflash0[:0x4] != 'SONY':
           raise SystemExit('\nInvalid PS4 Sflash0 binary!')
 
       for num, entry in enumerate(SFLASH0):
           with open('%s/%s' % (dir, SFLASH0[num][0]), 'wb') as output:
               begin = SFLASH0[num][1]
               end = begin + SFLASH0[num][2]
       
               output.write(sflash0[begin:end])
               print('Unpacked %s' % SFLASH0[num][0])

# Pack entries into a Sflash0 binary...
def pack(dir, file):

   with open(file, 'wb') as output:
       try:
           for num, entry in enumerate(SFLASH0):
               with open('%s/%s' % (dir, SFLASH0[num][0]), 'rb') as input:
                   output.write(input.read())
 
       except IOError as error:
           raise SystemExit('\n%s' % error)


def main(argc, argv):
 
   # Print Usage Statement...
   if argc not in [2, 3]:
       raise SystemExit('\nUsage: python %s <input> [output]' % argv[0])
 
   # File Input -> Unpack
   if os.path.isfile(argv[1]):
 
       # Create a custom directory...
       if argc == 3:
           try:
               os.makedirs(argv[2])
           except:
               pass
 
       unpack(argv[1], argv[2] if argc == 3 else '.')
 
   # Directory Input -> Pack
   elif os.path.isdir(argv[1]):
       pack(argv[1], argv[2] if argc == 3 else 'sflash0.bin')
 
   else:
       raise SystemExit('\nUsage: python %s <input> [output]' % argv[0])
 
   print('\nDone!')

if __name__ == '__main__':
   main(len(sys.argv), sys.argv)
SFlash0Unpack Unpack SFlash0 Files From PS4 Flash Dumps by Zecoxao.jpg
 

Comments

Chaos Kid

Developer
Senior Member
Contributor
It's not reprogramming a bios it's writing a reverse engineered bios with patches to allow for downgrade or write original bios back to fix a corrupted bios. As long as you have a bios dump of your system saved
 

XfactorX

Senior Member
Contributor
Verified
@Chaos Kid
To allow for downgrade? Are you sure? For layout we mean the exact number of files that make up the dump of the Nor chip, their names, the dimensions and the offsets of their exact position in the dump.

For layout we mean the exact number of files that make up the dump of Nor, their names, the dimensions and the offsets of their exact position in the dump, for now they are useless information for normal users but they are proof of the fact that contrary to what someone say, devs are always at work, what normal users could do to help, would be to dump the Nor and share it with BwE to improve its validator in order to identify many more possible corruptions that often they make it unusable our consoles.
 

Chaos Kid

Developer
Senior Member
Contributor
@XfactorX

Yes I am sure what can be done with these when things are R.E it's from my experience in the past and knowing how it works. Just member dumps are good when validated correctly but never share all the dump they contain personal info that could be bad when shared.

Dumps in the ps3 scene were used to flash back and allow for downgrade when the correct patch is applied to the dump itself with offsets and using a jb device to put in jig mode. While I get what your saying about correct sizes people don't always understand what a bios dump could be used for which is what I explained for on page one so people are aware.
 

XfactorX

Senior Member
Contributor
Verified
@Chaos Kid

Undoubtedly, I must have expressed myself badly, so I apologize for my bad english. The part related to you was just my question about the downgrade because as you wrote it seemed that we have already come to understand how to apply the patches to perform the downgrade.

All the rest of what I wrote, apart from the question, was referred to those who ask what it was zecoxao announcement. Returning to you, I've known you for many years and I read what you write in the various places, so I assure you that I did not want to question your knowledge, in fact, when I read what you wrote on the downgrade, I had a stroke.

Regarding the personal data contained in the Nor chip, it must be said that the MAC and serial numbers can be removed, and I believe that those who are able to do the dump also has the ability to remove those data.

As far as IDPS is concerned, there is no danger since it is not present in NOR.
 

Chaos Kid

Developer
Senior Member
Contributor
@XfactorX

At this time there is no downgrade features available but the intention is there for downgrade it's just understanding how it works and there may be possible someone who already has these patches ready for it just has not released them for the fact of 6.20 release as the system fw has loop holes in it and is pointless to release now when a few months something pops up.

I wasn't doubting your skills either as I knew what you were getting at with zecoaxo and needing all requirements but those aren't all that will be needed to keep a valid flash dump and for flashing back.

Even an analyzer on the flash can give you tons of data on fw update where you can see everything that's going on through the line but I'm glad to see your helping others.
 
Recent Articles
Some of the PlayStation 4 E3 2019 PS4 Trailer Videos!
We've seen a Watch Dogs: Legion PS4, Marvel Avengers: A-Day PS4 and some Final Fantasy VIII Remastered & Final Fantasy VII Remake PS4 videos from E3 2019, and below are several more PlayStation 4...
Crash Team Racing: Nitro-Fueled Races to PS4 Next Week
CTR racers on your mark, get set, go... as Crash Team Racing: Nitro-Fueled speeds onto PlayStation 4 next week. šŸŽ šŸ Get ready to go fur-throttle in the fully-remastered and revved up to the max...
TurboGrafx-16 Mini, PC Engine Mini & PC Engine CoreGrafx Mini by Konami
A few months back we covered the Sega Genesis Mini reveal, and during E3 2019 Konami announced a TurboGrafx-16 Mini, PC Engine Mini and PC Engine CoreGrafx Mini on their official site for...
PS4 Firmware / System Software 6.80 Preview Program PUP and Features
As reported earlier this month, since their recent 6.71 PS4 OFW Update those enrolled in Sony's PlayStation Preview Program can now download and install the PS4 Firmware / System Software 6.80...
Top