Category PS4 Jailbreaking       Thread starter PSXHAX       Start date May 11, 2018 at 2:15 AM       278,370       952            
Status
Not open for further replies.
Today PlayStation 4 developer @SpecterDev announced on Twitter that a full PS4 5.05 Jailbreak (Userland and Kernel exploit) will be coming soon complete with tools for developing PS4 homebrew applications like Alpha-V3.pkg on 5.05 OFW and games! :love:

This comes following the PS4 5.03 WebKit Exploit Port, the PS4 5.50 WebKit Exploit Rewrite and qwertyoruiop's Tweet yesterday that he'll be speaking on PS4 hacking "from zero to ring zero in two easy steps" today at 0x41con. :notworthy:

Also PlayStation developer @Mathieulh dropped some PS4 Firmware 5.53 teasers on Twitter recently including a kernel string, although he reminds everyone to have some patience. :ninja:

To quote from SpecterDev: "Within the next few weeks there will be a PS4 5.05 full stack release including tools for homebrew development. Some other tools will be dropped as time goes on. Don't update your <= 5.05 consoles if you care about homebrew. Hope to see cool stuff soon :)"

From Pastebin.com:
Code:
       SS = 0x2b, &SS = 0x0x5613f4b0b1a8
       Set up a watchpoint
       DR0 = 5613f4b0b1a8, DR1 = 5613f49081c5, DR7 = 7000a
[Run]    Read from watched memory (should get SIGTRAP)
       Got SIGTRAP with RIP=55D91EFBFFCD, EFLAGS.RF=0
[Run]     MOV SS; INT3
segmentation fault
https://github.com/Vultra/PS4Offsets-With-Payloads
https://github.com/valentinbreiz/ps4-kexec/blob/5.05-offsets/magic.h
Code:
#ifdef PS4_3_55

#define kern_off_printf 0x1df550
#define kern_off_copyin 0x3b96e0
#define kern_off_copyout 0x3b9660
#define kern_off_copyinstr 0x3b9a50
#define kern_off_kmem_alloc_contig 0x337ea0
#define kern_off_kmem_free 0x33bca0
#define kern_off_pmap_extract 0x3afd70
#define kern_off_pmap_protect 0x3b1f50
#define kern_off_sched_pin 0x1ced60
#define kern_off_sched_unpin 0x1cedc0
#define kern_off_smp_rendezvous 0x1e7810
#define kern_off_smp_no_rendevous_barrier 0x1e75d0
#define kern_off_icc_query_nowait 0x3ed450
#define kern_off_kernel_map 0x196acc8
#define kern_off_sysent 0xeed880
#define kern_off_kernel_pmap_store 0x19bd628
#define kern_off_Starsha_UcodeInfo 0x1869fa0

#define kern_off_pml4pml4i 0x19bd618
#define kern_off_dmpml4i 0x19bd61c
#define kern_off_dmpdpi 0x19bd620

#elif defined PS4_3_70

#define kern_off_printf 0x1df620
#define kern_off_copyin 0x3b97d0
#define kern_off_copyout 0x3b9750
#define kern_off_copyinstr 0x3b9b40
#define kern_off_kmem_alloc_contig 0x337f70
#define kern_off_kmem_free 0x33bd70
#define kern_off_pmap_extract 0x3afe60
#define kern_off_pmap_protect 0x3b2040
#define kern_off_sched_pin 0x1cee30
#define kern_off_sched_unpin 0x1cee90
#define kern_off_smp_rendezvous 0x1e78e0
#define kern_off_smp_no_rendevous_barrier 0x1e76a0
#define kern_off_icc_query_nowait 0x3ed7f0
#define kern_off_kernel_map 0x1976cc8
#define kern_off_sysent 0xef6d90
#define kern_off_kernel_pmap_store 0x19c9628
#define kern_off_Starsha_UcodeInfo 0
#define kern_off_gpu_devid_is_9924 0x443a20
#define kern_off_gc_get_fw_info 0x44b5a0

#define kern_off_pml4pml4i 0x19c9618
#define kern_off_dmpml4i 0x19c961c
#define kern_off_dmpdpi 0x19c9620

#elif defined PS4_4_00 || PS4_4_01

#define kern_off_printf 0x347450
#define kern_off_copyin 0x286cc0
#define kern_off_copyout 0x286c40
#define kern_off_copyinstr 0x287030
#define kern_off_kmem_alloc_contig 0x275da0
#define kern_off_kmem_free 0x369580
#define kern_off_pmap_extract 0x3eeed0
#define kern_off_pmap_protect 0x3f1120
#define kern_off_sched_pin 0x1d1120
#define kern_off_sched_unpin 0x1d1180
#define kern_off_smp_rendezvous 0x34a020
#define kern_off_smp_no_rendevous_barrier 0x349de0
#define kern_off_icc_query_nowait 0x46c5a0
#define kern_off_kernel_map 0x1fe71b8
#define kern_off_sysent 0xf17790
#define kern_off_kernel_pmap_store 0x200c310
#define kern_off_Starsha_UcodeInfo 0x18dafb0

#define kern_off_pml4pml4i 0x200c300
#define kern_off_dmpml4i 0x200c304
#define kern_off_dmpdpi 0x200c308

#elif defined PS4_4_05

#define kern_off_printf 0x347580
#define kern_off_copyin 0x286df0
#define kern_off_copyout 0x286d70
#define kern_off_copyinstr 0x287160
#define kern_off_kmem_alloc_contig 0x275ed0
#define kern_off_kmem_free 0x3696b0
#define kern_off_pmap_extract 0x3ef000
#define kern_off_pmap_protect 0x3f1250
#define kern_off_sched_pin 0x1d1250
#define kern_off_sched_unpin 0x1d12B0
#define kern_off_smp_rendezvous 0x34a150
#define kern_off_smp_no_rendevous_barrier 0x349f10
#define kern_off_icc_query_nowait 0x46c6d0
#define kern_off_kernel_map 0x1fe71b8
#define kern_off_sysent 0xf17790
#define kern_off_kernel_pmap_store 0x200c310
#define kern_off_Starsha_UcodeInfo 0
#define kern_off_gpu_devid_is_9924 0x4b9030
#define kern_off_gc_get_fw_info 0x4a19a0

#define kern_off_pml4pml4i 0x200c300
#define kern_off_dmpml4i 0x200c304
#define kern_off_dmpdpi 0x200c308

#elif defined PS4_4_55

#define kern_off_printf 0x17F30
#define kern_off_copyin 0x14A890
#define kern_off_copyout 0x14A7B0
#define kern_off_copyinstr 0x14AD00
#define kern_off_kmem_alloc_contig 0x250320
#define kern_off_kmem_free 0x16EEA0
#define kern_off_pmap_extract 0x41DBC0
#define kern_off_pmap_protect 0x420310
#define kern_off_sched_pin 0x73770
#define kern_off_sched_unpin 0x73780
#define kern_off_smp_rendezvous 0xB2BB0
#define kern_off_smp_no_rendevous_barrier 0xB2970
#define kern_off_icc_query_nowait 0x808C0
#define kern_off_kernel_map 0x1B31218
#define kern_off_sysent 0x102B690
#define kern_off_kernel_pmap_store 0x21BCC38
#define kern_off_Starsha_UcodeInfo 0
#define kern_off_gpu_devid_is_9924 0x496720
#define kern_off_gc_get_fw_info 0x4A12D0

#define kern_off_pml4pml4i 0x21BCC28
#define kern_off_dmpml4i 0x21BCC2C
#define kern_off_dmpdpi 0x21BCC30

#elif defined PS4_5_05

#define kern_off_printf 0x436040
#define kern_off_copyin 0x1ea710
#define kern_off_copyout 0x1ea630
#define kern_off_copyinstr 0x001eab40
#define kern_off_kmem_alloc_contig 0xfcc80
#define kern_off_kmem_free 0xfce50
#define kern_off_pmap_extract 0x41DBC0 //Missing
#define kern_off_pmap_protect 0x420310 //Missing
#define kern_off_sched_pin 0x0031ff40
#define kern_off_sched_unpin 0x0031ff50
#define kern_off_smp_rendezvous 0x00702330
#define kern_off_smp_no_rendevous_barrier 0xB2970 //Missing
#define kern_off_icc_query_nowait 0x808C0 //Missing
#define kern_off_kernel_map 0x1B31218 //Missing
#define kern_off_sysent 0x0107c610
#define kern_off_kernel_pmap_store 0x21BCC38 //Missing
#define kern_off_Starsha_UcodeInfo 0
#define kern_off_gpu_devid_is_9924 0x496720 //Missing
#define kern_off_gc_get_fw_info 0x4A12D0 //Missing

#define kern_off_pml4pml4i 0x21BCC28 //Missing
#define kern_off_dmpml4i 0x21BCC2C //Missing
#define kern_off_dmpdpi 0x21BCC30 //Missing

#endif
Code:
PS4Offsets & Payloads 1.76/4.05/4.55/5.01/5.05

 PS4Offsets ~ Use these offsets if you need to update your old payloads. 
4.05

#define KERN_XFAST_SYSCALL 0x30EB30
#define KERN_PROCESS_ASLR 0x2862D6
#define KERN_PRISON_0 0xF26010
#define KERN_ROOTVNODE 0x206D250
#define KERN_PTRACE_CHECK_1 0xAC2F1
#define KERN_PTRACE_CHECK_2 0xAC6A2
#define KERNEL_REGMGR_SETINT 0x4CEAB0

//Reading kernel_base...
void* kernel_base = &((uint8_t*)__readmsr(0xC0000082))[-KERN_XFAST_SYSCALL];
uint8_t* kernel_ptr = (uint8_t*)kernel_base;
void** got_prison0 =   (void**)&kernel_ptr[KERN_PRISON_0];
void** got_rootvnode = (void**)&kernel_ptr[KERN_ROOTVNODE];

// sceSblACMgrIsSystemUcred
uint64_t *sonyCred = (uint64_t *)(((char *)td_ucred) + 96);
*sonyCred = 0xffffffffffffffff;
// sceSblACMgrGetDeviceAccessType
uint64_t *sceProcType = (uint64_t *)(((char *)td_ucred) + 88);
*sceProcType = 0x3801000000000013; // Max access
// sceSblACMgrHasSceProcessCapability
uint64_t *sceProcCap = (uint64_t *)(((char *)td_ucred) + 104);
*sceProcCap = 0xffffffffffffffff; // Sce Process

//Perm Browser Patch - CrazyVoids 
uint64_t *(sceRegMgrSetInt)(uint32_t regId, int value) = NULL;
sceRegMgrSetInt = (void *)&ptrKernel[KERNEL_REGMGR_SETINT];
sceRegMgrSetInt(0x3C040000, 0);

Will add more soon.

4.55

//4.55 KERN
#define	KERN_XFAST_SYSCALL 0x3095D0
#define KERN_PROCESS_ASLR 0x1BA559
#define KERN_PRISON_0 0x10399B0
#define KERN_ROOTVNODE 0x21AFA30
#define KERN_PTRACE_CHECK 0x17D2C1

//Reading kernel_base...
void* kernel_base = &((uint8_t*)__readmsr(0xC0000082))[-KERN_XFAST_SYSCALL];
uint8_t* kernel_ptr = (uint8_t*)kernel_base;
void** got_prison0 =   (void**)&kernel_ptr[KERN_PRISON_0];
void** got_rootvnode = (void**)&kernel_ptr[KERN_ROOTVNODE];

// sceSblACMgrIsSystemUcred
uint64_t *sonyCred = (uint64_t *)(((char *)td_ucred) + 96);
*sonyCred = 0xffffffffffffffff;
// sceSblACMgrGetDeviceAccessType
uint64_t *sceProcType = (uint64_t *)(((char *)td_ucred) + 88);
*sceProcType = 0x3801000000000013; // Max access
// sceSblACMgrHasSceProcessCapability
uint64_t *sceProcCap = (uint64_t *)(((char *)td_ucred) + 104);
*sceProcCap = 0xffffffffffffffff; // Sce Process

// debug settings FULL
kernelBase[0x1B6D086] |= 0x14;
kernelBase[0x1B6D0A9] |= 0x3;
kernelBase[0x1B6D0AA] |= 0x1;
kernelBase[0x1B6D0C8] |= 0x1;

// Disable write protection
*(uint32_t*)&kernelBase[0x4D70F7] = 0;
*(uint32_t*)&kernelBase[0x4D7F81] = 0;

//UART Enabler 4.55
*(char *)(kernel_base + 0x1997BC8) = 0;

//EAP Internal Partition Key
kernelBase[0x258CCD0]

#elif defined PS4_4_55

#define kern_off_printf 0x17F30
#define kern_off_copyin 0x14A890
#define kern_off_copyout 0x14A7B0
#define kern_off_copyinstr 0x14AD00
#define kern_off_kmem_alloc_contig 0x250320
#define kern_off_kmem_free 0x16EEA0
#define kern_off_pmap_extract 0x41DBC0
#define kern_off_pmap_protect 0x420310
#define kern_off_sched_pin 0x73770
#define kern_off_sched_unpin 0x73780
#define kern_off_smp_rendezvous 0xB2BB0
#define kern_off_smp_no_rendevous_barrier 0xB2970
#define kern_off_icc_query_nowait 0x808C0
#define kern_off_kernel_map 0x1B31218
#define kern_off_sysent 0x102B690
#define kern_off_kernel_pmap_store 0x21BCC38
#define kern_off_Starsha_UcodeInfo 0
#define kern_off_gpu_devid_is_9924 0x496720
#define kern_off_gc_get_fw_info 0x4A12D0

#define kern_off_pml4pml4i 0x21BCC28
#define kern_off_dmpml4i 0x21BCC2C
#define kern_off_dmpdpi 0x21BCC30

5.01 Offsets


KERN_XFAST_SYSCALL 0x1C0 //5.0x https://twitter.com/C0rpVultra/status/992789973966512133
KERN_PRISON_0		0x10986A0 //5.01
KERN_ROOTVNODE		0x22C19F0 //5.01
KERN_PMAP_PROTECT	0x2E2D00 //5.01
KERN_PMAP_PROTECT_P	0x2E2D44 //5.01
KERN_PMAP_STORE		0x22CB4F0 //5.01
KERN_REGMGR_SETINT	0x4F8940 //5.01
KERN_PROCESS_ASLR 0x194765 //5.01 Thanks to J00ni3 - Need Verification
KERN_PTRACE_CHECK 0x30D633 //5.01 Thanks to J00ni3 - Need Verification
DT_HASH_SEGMENT		0xB5EE20 //5.01

//Reading kernel_base...
void* kernel_base = &((uint8_t*)__readmsr(0xC0000082))[-KERN_XFAST_SYSCALL];
uint8_t* kernel_ptr = (uint8_t*)kernel_base;
void** got_prison0 =   (void**)&kernel_ptr[KERN_PRISON_0];
void** got_rootvnode = (void**)&kernel_ptr[KERN_ROOTVNODE];

// sceSblACMgrIsSystemUcred
uint64_t *sonyCred = (uint64_t *)(((char *)td_ucred) + 96);
*sonyCred = 0xffffffffffffffff;
// sceSblACMgrGetDeviceAccessType
uint64_t *sceProcType = (uint64_t *)(((char *)td_ucred) + 88);
*sceProcType = 0x3801000000000013; // Max access
// sceSblACMgrHasSceProcessCapability
uint64_t *sceProcCap = (uint64_t *)(((char *)td_ucred) + 104);
*sceProcCap = 0xffffffffffffffff; // Sce Process

  
// debug settings patches 5.01
*(char *)(kernel_base + 0x1CD0686) |= 0x14;
*(char *)(kernel_base + 0x1CD06A9) |= 3;
*(char *)(kernel_base + 0x1CD06AA) |= 1;
*(char *)(kernel_base + 0x1CD06C8) |= 1;

// debug menu error patches 5.01
*(uint32_t *)(kernel_base + 0x4F8C78) = 0;
*(uint32_t *)(kernel_base + 0x4F9D8C) = 0;

// target_id patches 5.01
*(uint16_t *)(kernel_base + 0x1CD068C) = 0x8101;
*(uint16_t *)(kernel_base + 0x236B7FC) = 0x8101;

// disable pfs signature 5.01
*(uint32_t *)(kernel_base + 0x6A2320) = 0x90C3C031;

// flatz enable RIFs 5.01
  *(uint32_t *)(kernel_base + 0x64AED0) = 0x90C301B0;
  *(uint32_t *)(kernel_base + 0x64AEF0) = 0x90C301B0;
  
// enable perm browser 5.01
uint64_t *(sceRegMgrSetInt)(uint32_t regId, int value) = NULL;
sceRegMgrSetInt = (void *)&ptrKernel[KERNEL_REGMGR_SETINT];
sceRegMgrSetInt(0x3C040000, 0, 0, 0, 0);

// enable mmap of all SELF 5.01
*(uint8_t*)(kernel_base + 0x117B0) = 0xB0;
*(uint8_t*)(kernel_base + 0x117B1) = 0x01;
*(uint8_t*)(kernel_base + 0x117B2) = 0xC3;

*(uint8_t*)(kernel_base + 0x117C0) = 0xB0;
*(uint8_t*)(kernel_base + 0x117C1) = 0x01;
*(uint8_t*)(kernel_base + 0x117C2) = 0xC3;

*(uint8_t*)(kernel_base + 0x13EF2F) = 0x31;
*(uint8_t*)(kernel_base + 0x13EF30) = 0xC0;
*(uint8_t*)(kernel_base + 0x13EF31) = 0x90;
*(uint8_t*)(kernel_base + 0x13EF32) = 0x90;
*(uint8_t*)(kernel_base + 0x13EF33) = 0x90;

#elif defined PS4_5_01

#define kern_off_printf 0x00435C70
#define kern_off_copyin 0x1EA600
#define kern_off_copyout 0x1EA520
#define kern_off_copyinstr 0x1EAA30
#define kern_off_kmem_alloc_contig 0xF1B80
#define kern_off_kmem_free 0xFCD40
#define kern_off_pmap_extract 0x2E02A0
#define kern_off_pmap_protect 0x2E2D00
#define kern_off_sched_pin 0x31FB70
#define kern_off_sched_unpin 0x31FB80
#define kern_off_smp_rendezvous 0x1B84A0
#define kern_off_smp_no_rendevous_barrier 0x1B8260
#define kern_off_icc_query_nowait 0x44020
#define kern_off_kernel_map 0x1AC60E0
#define kern_off_sysent 0x107C610
#define kern_off_kernel_pmap_store 0x22CB4F0
#define kern_off_Starsha_UcodeInfo 0
#define kern_off_gpu_devid_is_9924 0x4DDC40
#define kern_off_gc_get_fw_info 0x4D33D0

#define kern_off_pml4pml4i 0x22CB4E0
#define kern_off_dmpml4i 0x22CB4E4
#define kern_off_dmpdpi 0x22CB4E8

#endif

5.05 Offsets

KERN_XFAST_SYSCALL 0x00001C0 //5.0x https://twitter.com/C0rpVultra/status/992789973966512133
KERN_PRISON_0		0x10986a0
KERN_ROOTVNODE	0x22c1a70
KERN_PMAP_PROTECT	0x2E3090
KERN_PROCESS_ASLR 0x194875
KERN_PTRACE_CHECK 0x30D9AA

KERN_PMAP_PROTECT	0x2E3090
KERN_PMAP_PROTECT_P	0x2E30D4
KERN_PMAP_STORE		0x22CB570

DT_HASH_SEGMENT		0xB5EF30

//Reading kernel_base...
void* kernel_base = &((uint8_t*)__readmsr(0xC0000082))[-KERN_XFAST_SYSCALL];
uint8_t* kernel_ptr = (uint8_t*)kernel_base;
void** got_prison0 =   (void**)&kernel_ptr[KERN_PRISON_0];
void** got_rootvnode = (void**)&kernel_ptr[KERN_ROOTVNODE];

// sceSblACMgrIsSystemUcred
uint64_t *sonyCred = (uint64_t *)(((char *)td_ucred) + 96);
*sonyCred = 0xffffffffffffffff;
// sceSblACMgrGetDeviceAccessType
uint64_t *sceProcType = (uint64_t *)(((char *)td_ucred) + 88);
*sceProcType = 0x3801000000000013; // Max access
// sceSblACMgrHasSceProcessCapability
uint64_t *sceProcCap = (uint64_t *)(((char *)td_ucred) + 104);
*sceProcCap = 0xffffffffffffffff; // Sce Process

//UART Enabler 5.05 Thanks to @DiwiDog // https://twitter.com/diwidog/status/996362528312647680
*(char *)(kernel_base + 0x09ECEB0) = 0;

// debug settings patches 5.05
*(char *)(kernel_base + 0x1CD0686) |= 0x14;
*(char *)(kernel_base + 0x1CD06A9) |= 3;
*(char *)(kernel_base + 0x1CD06AA) |= 1;
*(char *)(kernel_base + 0x1CD06C8) |= 1;

// debug menu error patches 5.05
*(uint32_t *)(kernel_base + 0x4F9048) = 0;
*(uint32_t *)(kernel_base + 0x4FA15C) = 0;

// enable mmap of all SELF 5.05
*(uint8_t*)(kernel_base + 0x117B0) = 0xB0;
*(uint8_t*)(kernel_base + 0x117B1) = 0x01;
*(uint8_t*)(kernel_base + 0x117B2) = 0xC3;

*(uint8_t*)(kernel_base + 0x117C0) = 0xB0;
*(uint8_t*)(kernel_base + 0x117C1) = 0x01;
*(uint8_t*)(kernel_base + 0x117C2) = 0xC3;

*(uint8_t*)(kernel_base + 0x13F03F) = 0x31;
*(uint8_t*)(kernel_base + 0x13F040) = 0xC0;
*(uint8_t*)(kernel_base + 0x13F041) = 0x90;
*(uint8_t*)(kernel_base + 0x13F042) = 0x90;
*(uint8_t*)(kernel_base + 0x13F043) = 0x90;

// flatz disable pfs signature check 5.05
*(uint32_t *)(kernel_base + 0x6A2700) = 0x90C3C031;
// flatz enable debug RIFs 5.05
*(uint32_t *)(kernel_base + 0x64B2B0) = 0x90C301B0;
*(uint32_t *)(kernel_base + 0x64B2D0) = 0x90C301B0;

// debug pkg free string
#define fake_free_patch                 0xEA96A7

// make pkgs installer working with external hdd
#define pkg_installer_patch		0x9312A1


// Fself
#define sceSblAuthMgrSmStart_addr       0x6418E0
#define sceSblServiceMailbox_addr       0x632540
#define sceSblAuthMgrGetSelfInfo_addr   0x63CD40
#define sceSblAuthMgrIsLoadable2_addr   0x63C4F0
#define sceSblAuthMgrVerifyHeader_addr  0x642B40

// Fpkg
#define sceSblPfsKeymgrGenKeys_addr     0x62D480
#define sceSblPfsSetKeys_addr           0x61EFA0
#define sceSblKeymgrClearKey_addr       0x62DB10
#define sceSblKeymgrSetKeyForPfs_addr   0x62D780
#define sceSblKeymgrSmCallfunc_addr     0x62E2A0
#define sceSblDriverSendMsg_addr        0x61D7F0
#define RsaesPkcs1v15Dec2048CRT_addr    0x1FD7D0
#define AesCbcCfb128Encrypt_addr        0x3A2BD0
#define AesCbcCfb128Decrypt_addr        0x3A2E00
#define Sha256Hmac_addr                 0x2D55B0

// Patch
#define proc_rwmem_addr                 0x30D150
#define vmspace_acquire_ref_addr        0x19EF90
#define vmspace_free_addr               0x19EDC0
#define vm_map_lock_read_addr           0x19F140
#define vm_map_unlock_read_addr         0x19F190
#define vm_map_lookup_entry_addr        0x19F760

// Fself hooks
#define sceSblAuthMgrIsLoadable2_hook                             0x63E3A1
#define sceSblAuthMgrVerifyHeader_hook1                           0x63EAFC
#define sceSblAuthMgrVerifyHeader_hook2                           0x63F718
#define sceSblAuthMgrSmLoadSelfSegment__sceSblServiceMailbox_hook 0x64318B
#define sceSblAuthMgrSmLoadSelfBlock__sceSblServiceMailbox_hook   0x643DA2

// Fpkg hooks
#define sceSblKeymgrSmCallfunc_npdrm_decrypt_isolated_rif_hook    0x64C720
#define sceSblKeymgrSmCallfunc_npdrm_decrypt_rif_new_hook         0x64D4FF
#define sceSblKeymgrSetKeyStorage__sceSblDriverSendMsg_hook       0x624065
#define mountpfs__sceSblPfsSetKeys_hook1                          0x6AAAD5
#define mountpfs__sceSblPfsSetKeys_hook2                          0x6AAD04

// SceShellCore patches

// call sceKernelIsGenuineCEX
#define sceKernelIsGenuineCEX_patch1    0x16D05B 
#define sceKernelIsGenuineCEX_patch2    0x79980B
#define sceKernelIsGenuineCEX_patch3    0x7E5A13
#define sceKernelIsGenuineCEX_patch4    0x94715B

// call nidf_libSceDipsw
#define nidf_libSceDipsw_patch1         0x16D087
#define nidf_libSceDipsw_patch2         0x23747B
#define nidf_libSceDipsw_patch3         0x799837
#define nidf_libSceDipsw_patch4         0x947187

// enable fpkg
#define enable_fpkg_patch               0x3E0602

#elif defined PS4_5_05  Thanks to #J0nni3

#define kern_off_printf                     0x436040
#define kern_off_copyin                     0x1EA710
#define kern_off_copyout                    0x1EA630
#define kern_off_copyinstr                  0x1EAB40
#define kern_off_kmem_alloc_contig          0xF1C90
#define kern_off_kmem_free                  0xFCE50
#define kern_off_pmap_extract               0x2E0570
#define kern_off_pmap_protect               0x2E3090
#define kern_off_sched_pin                  0x31FF40
#define kern_off_sched_unpin                0x31FF50
#define kern_off_smp_rendezvous             0x1B85B0
#define kern_off_smp_no_rendevous_barrier   0x1B8366
#define kern_off_icc_query_nowait           0x44020
#define kern_off_kernel_map                 0x1AC60E0
#define kern_off_sysent                     0x107C610
#define kern_off_kernel_pmap_store          0x22CB570
#define kern_off_Starsha_UcodeInfo 0
#define kern_off_gpu_devid_is_9924          0x4DE010
#define kern_off_gc_get_fw_info             0x4D37A0
#define kern_off_pml4pml4i                  0x22CB560 // Pending verification.
#define kern_off_dmpml4i                    0x22CB564
#define kern_off_dmpdpi                     0x22CB568

Please make an pull request for anything that is missing or want to add something. This will be updated over a period of time adding more offsets.

Contributors

Massive thanks to the following:

    qwertyoruiopz
    Flatz
    SpecterDev
    Many others
SpecterDev Announces PS4 5.05 Jailbreak & Homebrew Tools Coming!.jpg
 

Comments

Status
Not open for further replies.

seanp2500

Senior Member
Contributor
proffk thanks for sharing I have ni no kuni 2 so either myself or someone else will do that one I also have superhot and a few other titles. It's going to be a great weekend!
 

Secretc0de

Senior Member
Contributor
Verified
You dont need to wait for update blocker as its already included when u run exploit on 5.05.. so you are all set

When u have debug settings go and start installing same fpkgs ;)
 

Mikeads

Senior Member
Contributor
According to the readme on the GitHub this is Mira + XVortex's HEN. Meaning an update blocker in included (This also should delete existing updates)

AL AZIF tweet Almost forgot to include js_shellcode.py - my Python script to convert payloads to shellcode - you'll need to use this if you want to update Mira/HEN (and reintegrate) or add a custom payload to auto launch. Usage: python js_shellcode.py [.bin] code_addr specter said
 
Status
Not open for further replies.
Recent Articles
Ninja Shodown PS4 Homebrew Game in Development, Demo by Markus95
Since the PCSX-R Emulator PS4 PKG release, PlayStation 4 developer @Markus95 (aka @Kus00095) shared a demonstration video of a new homebrew game in development for PS4, PS Vita and Nintendo Switch...
Red Dead Redemption 2 Modding Demos by RDR2 Modder JediJosh920
Following the Spider-Man PS4 Models & Textures Tool and IG PS4 Modding Tools, this weekend RDR2 modder @jedijosh920 (Web site / Twitter) shared on his YouTube Channel some demonstration videos of...
Action-RPG Oninaki Joins New PlayStation 4 Games Next Week
Next week Tokyo RPG Factory's latest action-RPG Oninaki hits PlayStation 4 on August 22nd casting you as a Watcher, tasked with helping usher the souls of the departed into their next life. đź—Ľ...
Electric Purple, Red Camouflage, Titanium Blue & Rose Gold DS4 Controllers!
Earlier this year we saw an Alpine Green DualShock 4 PS4 Controller, and now Sony announced their latest batch of DualShock 4 PS4 Controllers will include Electric Purple, Red Camouflage, Titanium...
Top