Category PS4 CFW and Hacks       Thread starter PSXHAX       Start date Feb 28, 2019 at 8:22 AM       10,529       24            
Previously we've seen guides on How to Obtain Your PS4 SFlash alongside some example file dumps, and today developer @zecoxao shared on Twitter SFlash0Unpack which is a script to unpack sflash0 files from PS4 flash dumps for PlayStation 4 scene devs to examine followed by a PS4 SFlash0 Tool by SocraticBliss.

In related news, pearlxcore (Twitter) also made available a PS4 Dump Extractor utilized to extract PlayStation 4 dumps including sflash0 files. :tup:

Download: sflash0unpack-master.zip / GIT / ps4_sflash0_pack_tool.py / GIT / ps4_sflash0_tool.py / ps4_sflash0_tool / PS4.Dump.Extractor.exe / PS4 Dump Extractor GIT

Below is main.c from Github followed by the makefile, with a Python version of the PS4 Sflash0 Pack Tool from @SocraticBliss (Twitter) on Github for those interested and also a extractor.pl Perl version from BwE! :ninja:

Main.c:
Code:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <inttypes.h>
#include <sys/stat.h>

/*
   0x0 <- Header (0x1000)
   0x1000 <- Unk (0x1000)
   0x2000 <- MBR1 (0x1000) (for sflash0s1.cryptx3b)
   0x3000 <- MBR2 (0x1000) (for sflash0s1.cryptx3)
   0x4000 <- sflash0s0x32b (emc_ipl) (0x60000)
   0x64000 <- sflash0s0x32 (emc_ipl) (0x60000)
   0xC4000 <- sflash0s0x33 (eap_kbl) (0x80000)
   0x144000 <- sflash0s0x34 (wifi fw) (0x80000)
   0x1C4000 <- sflash0s0x38 (nvs) (0xC000)
   0x1D0000 <- sflash0s0x0 (blank1) (0x30000)
   0x200000 <- Header2 (0x1000)
   0x201000 <- Unk 2(0x1000)
   0x202000 <- MBR3(0x1000) (for sflash0s1.cryptx2b)
   0x203000 <- MBR4(0x1000) (for sflash0s1.cryptx2)
   0x204000 <- sflash0s1.cryptx2b (sam_ipl/secure loader) (0x3E000)
   0x242000 <- sflash0s1.cryptx2 (sam_ipl/secure loader) (0x3E000)
   0x280000 <- sflash0s1.cryptx1 (idata) (0x80000)
   0x300000 <- sflash0s1.cryptx39 (bd_hrl?) (0x80000)
   0x380000 <- sflash0s1.cryptx6 (Virtual TRM) (0x40000)
   0x3C0000 <- sflash0s1.cryptx3b (secure kernel, secure modules) (0xCC0000)
   0x1080000 <- sflash0s1.cryptx3 (secure kernel, secure modules) (0xCC0000)
   0x1D40000 <- sflash0s1.cryptx40 (blank2) (0x2C0000)
*/

typedef struct
{
   unsigned char header[0x1000];
   unsigned char unk[0x1000];
   unsigned char mbr1[0x1000];
   unsigned char mbr2[0x1000];
   unsigned char emc_iplb[0x60000];
   unsigned char emc_ipl[0x60000];
   unsigned char eap_kbl[0x80000];
   unsigned char wifi_fw[0x80000];
   unsigned char nvs[0xC000];
   unsigned char blank[0x30000];
   unsigned char header2[0x1000];
   unsigned char unk2[0x1000];
   unsigned char mbr3[0x1000];
   unsigned char mbr4[0x1000];
   unsigned char sam_iplb[0x3E000];
   unsigned char sam_ipl[0x3E000];
   unsigned char idata[0x80000];
   unsigned char bd_hrl[0x80000];
   unsigned char vtrm[0x40000];
   unsigned char secureb[0xCC0000];
   unsigned char secure[0xCC0000];
   unsigned char blank2[0x2C0000];
} SFLASH0;

int main(int argc, char **argv){

   if(argc != 3){
       printf ("\nusage: sflash0unpack [sflash0] [outdir]  \n");
       return -1;
   }

   unsigned char out[256];

   mkdir(argv[2],0777);

   FILE *fp = fopen(argv[1],"rb");

   unsigned char *buf = (unsigned char*) malloc (0x2000000);

   fread(buf,0x2000000,1,fp);

   SFLASH0* entries = (SFLASH0*)buf;

   sprintf(out,"%s/header.bin",argv[2]);

   FILE *fl = fopen(out,"wb");

   fwrite(entries->header,sizeof(entries->header),1,fl);

   fclose(fl);

   sprintf(out,"%s/emc_ipl.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->emc_ipl,sizeof(entries->emc_ipl),1,fl);

   fclose(fl);

   sprintf(out,"%s/emc_iplb.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->emc_iplb,sizeof(entries->emc_iplb),1,fl);

   fclose(fl);

   sprintf(out,"%s/eap_kbl.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->eap_kbl,sizeof(entries->eap_kbl),1,fl);

   fclose(fl);

   sprintf(out,"%s/wifi_fw.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->wifi_fw,sizeof(entries->wifi_fw),1,fl);

   fclose(fl);

   sprintf(out,"%s/sam_ipl.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->sam_ipl,sizeof(entries->sam_ipl),1,fl);

   fclose(fl);

   sprintf(out,"%s/sam_iplb.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->sam_iplb,sizeof(entries->sam_iplb),1,fl);

   fclose(fl);

   sprintf(out,"%s/idata.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->idata,sizeof(entries->idata),1,fl);

   fclose(fl);

   sprintf(out,"%s/bd_hrl.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->bd_hrl,sizeof(entries->bd_hrl),1,fl);

   fclose(fl);

   sprintf(out,"%s/vtrm.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->vtrm,sizeof(entries->vtrm),1,fl);

   fclose(fl);

   sprintf(out,"%s/secure.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->secure,sizeof(entries->secure),1,fl);

   fclose(fl);

   sprintf(out,"%s/secureb.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->secureb,sizeof(entries->secureb),1,fl);

   fclose(fl);

   sprintf(out,"%s/blank.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->blank,sizeof(entries->blank),1,fl);

   fclose(fl);

   sprintf(out,"%s/nvs.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->nvs,sizeof(entries->nvs),1,fl);

   fclose(fl);

   sprintf(out,"%s/unk.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->unk,sizeof(entries->unk),1,fl);

   fclose(fl);

   sprintf(out,"%s/mbr1.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->mbr1,sizeof(entries->mbr1),1,fl);

   fclose(fl);

   sprintf(out,"%s/mbr2.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->mbr2,sizeof(entries->mbr2),1,fl);

   fclose(fl);

   sprintf(out,"%s/unk2.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->unk2,sizeof(entries->unk2),1,fl);

   fclose(fl);

   sprintf(out,"%s/mbr3.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->mbr3,sizeof(entries->mbr3),1,fl);

   fclose(fl);

   sprintf(out,"%s/mbr4.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->mbr4,sizeof(entries->mbr4),1,fl);

   fclose(fl);

   sprintf(out,"%s/header2.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->header2,sizeof(entries->header2),1,fl);

   fclose(fl);

   sprintf(out,"%s/blank2.bin",argv[2]);

   fl = fopen(out,"wb");

   fwrite(entries->blank2,sizeof(entries->blank2),1,fl);

   fclose(fl);

   fclose(fp);


   return 0;
}
:idea: To find out (and document) the minimum version of your PS4, download with ftp buf 0x200 payload the file /dev/sflash0s1.cryptx1 (size 512KB) at 0x10008 you can find the minver (endian swapped) next to the SMI header
ps4_sflash0_pack_tool.py
Code:
# PS4 Sflash0 Pack Tool
# SocraticBliss (R)
# Thanks to zecoxao <3

import os
import sys

'''
   Offsets

   0x0       <- Header (0x1000)
   0x1000    <- Unk    (0x1000)
   0x2000    <- MBR1   (for sflash0s1.cryptx3b) (0x1000)
   0x3000    <- MBR2   (for sflash0s1.cryptx3) (0x1000)
   0x4000    <- sflash0s0x32b (emc_ipl) (0x60000)
   0x64000   <- sflash0s0x32  (emc_ipl) (0x60000)
   0xC4000   <- sflash0s0x33  (eap_kbl) (0x80000)
   0x144000  <- sflash0s0x34  (wifi fw) (0x80000)
   0x1C4000  <- sflash0s0x38  (nvs) (0xC000)
   0x1D0000  <- sflash0s0x0   (blank) (0x30000)
   0x200000  <- Header2 (0x1000)
   0x201000  <- Unk2    (0x1000)
   0x202000  <- MBR3    (for sflash0s1.cryptx2b) (0x1000)
   0x203000  <- MBR4    (for sflash0s1.cryptx2) (0x1000)
   0x204000  <- sflash0s1.cryptx2b (sam_ipl/secure loader) (0x3E000)
   0x242000  <- sflash0s1.cryptx2  (sam_ipl/secure loader) (0x3E000)
   0x280000  <- sflash0s1.cryptx1  (idata) (0x80000)
   0x300000  <- sflash0s1.cryptx39 (bd_hrl?) (0x80000)
   0x380000  <- sflash0s1.cryptx6  (Virtual TRM) (0x40000)
   0x3C0000  <- sflash0s1.cryptx3b (secure kernel, secure modules) (0xCC0000)
   0x1080000 <- sflash0s1.cryptx3  (secure kernel, secure modules) (0xCC0000)
   0x1D40000 <- sflash0s1.cryptx40 (blank2) (0x2C0000)
'''

SFLASH0 = [
   ('header.bin',   0x0,       0x1000),
   ('unknown.bin',  0x1000,    0x1000),
   ('mbr1.bin',     0x2000,    0x1000),
   ('mbr2.bin',     0x3000,    0x1000),
   ('emc_iplb.bin', 0x4000,    0x60000),
   ('emc_ipl.bin',  0x64000,   0x60000),
   ('eap_kbl.bin',  0xC4000,   0x80000),
   ('wifi_fw.bin',  0x144000,  0x80000),
   ('nvs.bin',      0x1C4000,  0xC000),
   ('blank.bin',    0x1D0000,  0x30000),
   ('header2.bin',  0x200000,  0x1000),
   ('unknown2.bin', 0x201000,  0x1000),
   ('mbr3.bin',     0x202000,  0x1000),
   ('mbr4.bin',     0x203000,  0x1000),
   ('sam_iplb.bin', 0x204000,  0x3E000),
   ('sam_ipl.bin',  0x242000,  0x3E000),
   ('idata.bin',    0x280000,  0x80000),
   ('bd_hrl.bin',   0x300000,  0x80000),
   ('vtrm.bin',     0x380000,  0x40000),
   ('secureb.bin',  0x3C0000,  0xCC0000),
   ('secure.bin',   0x1080000, 0xCC0000),
   ('blank2.bin',   0x1D40000, 0x2C0000),
]

# Unpack entries from a Sflash0 binary...
def unpack(file, dir):

   with open(file, 'rb') as input:
       sflash0 = input.read()

       # Validate input file...
       if sflash0[:0x4] != 'SONY':
           raise SystemExit('\nInvalid PS4 Sflash0 binary!')

       for num, entry in enumerate(SFLASH0):
           with open('%s/%s' % (dir, SFLASH0[num][0]), 'wb') as output:
               begin = SFLASH0[num][1]
               end = begin + SFLASH0[num][2]
     
               output.write(sflash0[begin:end])
               print('Unpacked %s' % SFLASH0[num][0])

# Pack entries into a Sflash0 binary...
def pack(dir, file):

   with open(file, 'wb') as output:
       try:
           for num, entry in enumerate(SFLASH0):
               with open('%s/%s' % (dir, SFLASH0[num][0]), 'rb') as input:
                   output.write(input.read())

       except IOError as error:
           raise SystemExit('\n%s' % error)


def main(argc, argv):

   # Print Usage Statement...
   if argc not in [2, 3]:
       raise SystemExit('\nUsage: python %s <input> [output]' % argv[0])

   # File Input -> Unpack
   if os.path.isfile(argv[1]):

       # Create a custom directory...
       if argc == 3:
           try:
               os.makedirs(argv[2])
           except:
               pass

       unpack(argv[1], argv[2] if argc == 3 else '.')

   # Directory Input -> Pack
   elif os.path.isdir(argv[1]):
       pack(argv[1], argv[2] if argc == 3 else 'sflash0.bin')

   else:
       raise SystemExit('\nUsage: python %s <input> [output]' % argv[0])

   print('\nDone!')

if __name__ == '__main__':
   main(len(sys.argv), sys.argv)
And From the ps4_sflash0_tool README.md: PS4 SFlash0 Tool

SocraticBliss (R)

ps4_sflash_tool.py: Python script for [un]packing your PS4's SFlash0

Usage

Unpacking SFlash0

Code:
python ps4_sflash_pack_tool.py <sflash0.bin> [Optional Output Directory]
Packing SFlash0
Code:
python ps4_sflash_pack_tool.py <Directory> [Optional Output SFlash0 Name]
If you have any suggestions or ideas, please feel free to create pull requests!
To make the most out of this, we have to work together! :lovewins:
PS4 Dump Extractor.png

SFlash0Unpack Unpack SFlash0 Files From PS4 Flash Dumps by Zecoxao.jpg
 
:idea: Reminder: Those without a Verified Badge yet on Discord to access the private areas we recommend Joining Us! Why? The waiting process takes a week for new Members, and there's a lot we're unable to share on public forums including the latest PS4 PKG Games. 🏴‍☠️

Comments

Chaos Kid

Developer
Senior Member
Contributor
Code:
CONFIG_SMP=y
CONFIG_PCI=y
CONFIG_PCIE_XILINX=y
CONFIG_SYSVIPC=y
CONFIG_POSIX_MQUEUE=y
CONFIG_IKCONFIG=y
CONFIG_IKCONFIG_PROC=y
CONFIG_CGROUPS=y
CONFIG_CGROUP_SCHED=y
CONFIG_CFS_BANDWIDTH=y
CONFIG_CGROUP_BPF=y
CONFIG_NAMESPACES=y
CONFIG_USER_NS=y
CONFIG_BLK_DEV_INITRD=y
CONFIG_EXPERT=y
CONFIG_CHECKPOINT_RESTORE=y
CONFIG_BPF_SYSCALL=y
CONFIG_NET=y
CONFIG_PACKET=y
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
CONFIG_IP_PNP_BOOTP=y
CONFIG_IP_PNP_RARP=y
CONFIG_NETLINK_DIAG=y
CONFIG_DEVTMPFS=y
CONFIG_BLK_DEV_LOOP=y
CONFIG_VIRTIO_BLK=y
CONFIG_BLK_DEV_SD=y
CONFIG_BLK_DEV_SR=y
CONFIG_ATA=y
CONFIG_SATA_AHCI=y
CONFIG_SATA_AHCI_PLATFORM=y
CONFIG_NETDEVICES=y
CONFIG_VIRTIO_NET=y
CONFIG_MACB=y
CONFIG_E1000E=y
CONFIG_R8169=y
CONFIG_MICROSEMI_PHY=y
CONFIG_INPUT_MOUSEDEV=y
CONFIG_SERIAL_8250=y
CONFIG_SERIAL_8250_CONSOLE=y
CONFIG_SERIAL_OF_PLATFORM=y
CONFIG_HVC_RISCV_SBI=y
# CONFIG_PTP_1588_CLOCK is not set
CONFIG_DRM=y
CONFIG_DRM_RADEON=y
CONFIG_FRAMEBUFFER_CONSOLE=y
CONFIG_USB=y
CONFIG_USB_XHCI_HCD=y
CONFIG_USB_XHCI_PLATFORM=y
CONFIG_USB_EHCI_HCD=y
CONFIG_USB_EHCI_HCD_PLATFORM=y
CONFIG_USB_OHCI_HCD=y
CONFIG_USB_OHCI_HCD_PLATFORM=y
CONFIG_USB_STORAGE=y
CONFIG_USB_UAS=y
CONFIG_VIRTIO_MMIO=y
CONFIG_RAS=y
CONFIG_EXT4_FS=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_AUTOFS4_FS=y
CONFIG_MSDOS_FS=y
CONFIG_VFAT_FS=y
CONFIG_TMPFS=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_NFS_FS=y
CONFIG_NFS_V4=y
CONFIG_NFS_V4_1=y
CONFIG_NFS_V4_2=y
CONFIG_ROOT_NFS=y
# CONFIG_RCU_TRACE is not set
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_MODULES=y
CONFIG_MODULE_UNLOAD=y
This Is from sony own repo online which after i mentioned they pulled off but not before i have a copy of the kernel
 
:idea: Reminder: Those without a Verified Badge yet on Discord to access the private areas we recommend Joining Us! Why? The waiting process takes a week for new Members, and there's a lot we're unable to share on public forums including the latest PS4 PKG Games. 🏴‍☠️

jaster0589

Member
Contributor
Hello. I have firmware on ps4 5.05. I eneble to update the hard drive by first cloning, but it all crashed. I connect my native hard drive now, asks to restore the system. I don't have an optical drive or a board for it.

Is it possible to solve the problem and restore the system without an optical drive. Or you can make a drive patch from another dump? After extractor, how to pack back with another drive dump?
 
Recent Articles
Dark Chronicle (Dark Cloud 2) PS2 on PS4 Companion App by Halvardssm
Recently developer halvardssm made available a companion app script for the Dark Chronicle (also known as Dark Cloud 2 in North America) PS2 on PS4 action role-playing game (RPG) by Level-5 via...
PS5 Hacking-Themed Platformer Recompile Gameplay Trailer Video
Earlier this week we saw a first look at the PS5 hacking-themed indie platformer Recompile by Phigames, and below is a Recompile PlayStation 5 gameplay trailer video for sceners who can't wait to...
PS5 & Xbox Series X Next-Gen Video Game Prices to Go Up Says IDG
According to video game research firm IDG Consulting, publishers are likely to raise the price of next-gen games for PlayStation 5 and Xbox Series X following the PS5 News that NBA 2K21 will...
Sony Introduces PlayStation Indies for PS5 and PS4 with Montage Video
Proceeding the Indie PS5 game Soulborn Alpha Trailer, Sony introduced their PlayStation Indies initiative featuring nine captivating new independent games including Worms Rumble (PS5 / PS4), Haven...
Top