Welcome to PlayStationHaX

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.

zecoxao

Super Admin
  • Content count

    855
  • Joined

  • Last visited

  • Days Won

    59

zecoxao last won the day on May 25

zecoxao had the most liked content!

Community Reputation

1,271 Excellent

About zecoxao

  • Rank
    Posting Freak
  • Birthday 10/12/1990

Profile Information

  • Gender
    Not Telling
  1. @3141card has asked me to share this. it is ps2_netemu from 4.81 with full hvcall support, and option to dump lv1 from inside netemu. @mysis this is also for you https://mega.nz/#!FlMQ3SyB!-wtUdxvPEuGBZoB1awY9I5f3zBd_f3qLG7NOZugLE28 instructions on how to dump lv1 are inside. have fun
  2. @Red-EyeX32 asked me to share this with you guys (it's already released but whatever) https://mega.nz/#!h4VnyCxK!n7Sqh9h6_zGT2dnFzue-6_ZUDNh0kfKnuPVmLUWHa-U
  3. How to find TOC in lv1:
  4. @3141card @Joonie @mysis proof of concept scripts: https://www.sendspace.com/file/mv5czq lv2_dump_analyser_before_355.idc <- script for firmwares before 3.55 and after 1.02 (TOC located at segment #7) lv2_dump_analyser_355_plus.idc <- script for firmwares 3.55 and above (TOC located at segment #6) Useful if you want to find everything quick and leave syscall table for later. Just add those two to ps3ida folder and use them according to version. TOC will be automatically found.
  5. Tools Required: * IDA Pro (don't ask where to find it, Google is your friend) * HxD * 7zip * Tools to extract elf from lv2_kernel.self (Unself/Unself2/Scetool/etc) / pup unpack tools Step 1: Extract the elf from lv2_kernel (here i'm using aldos tools) by right clicking lv2 and choosing "SELF Tools->Extract ELF" Step 2: Extract further the elf with 7zip by right clicking the elf and choosing "7zip-> Extract to <name_of_file_without_extension>" It'll create a folder and extract its contents. If a popup box shows up asking to overwrite or not, choose "Rename automatically" Step 3: Open the folder and go to the segment with 46KB/45KB size. Open it with HxD and go from the start position 0x8000 bytes into the file. Example for 1.02 lv2_kernel: Step 4: Copy the first 8 bytes from 0x8000 to the transfer area. Step 5: Open the kernel in IDA Pro and let it load. After it loads search for those bytes. You should see an unknown data structure. That is your TOC PS: Tested on 4.46 REX Cex Kernel, 1.02 CEX Kernel, and 4.60 DECR Kernel, as well as 3.41 CEX Kernel v1, 2.70 CEX Kernel and 2.00 CEX Kernel
  6. @mysis needs to see this
  7. BORING! ksploit isn't SAMU. so it's BORING!
  8. they do not exist.
  9. https://mega.nz/#F!55kHGLBR!XlVBKqFYriLOZ6CBoCdyhQ
  10. i still have the sources. wait
  11. First of all, a note. this is for testkit and devkit consoles ONLY! We are working on a way to bring debug functionality to retail consoles, but it might take a while. These are the patches: *(uint16_t *)0xFFFFFFFF82607E56 = 0x9090; //retail - testkit (doesn't work on retail yet, but offsets are the same) *(uint16_t *)0xFFFFFFFF82607E71 = 0x9090; //retail - testkit (doesn't work on retail yet, but offsets are the same) *(uint16_t *)0xFFFFFFFF825FCFE6 = 0x9090; //devkit *(uint16_t *)0xFFFFFFFF825FD001 = 0x9090; //devkit Due to the nature of devkits, only hitodama's payloads work on them, so i'll provide one payload for CTurt (for testkit) and one for hito (for devkit) testkit payload devkit payload Since people should already know by detail how to send these payloads i won't go through much detail. Testkit payload follows the CTurt procedure. Devkit payload follows the Hitodama procedure. The end result will be this: Good luck! If you do not feel confident on trying the payloads, just implement those patches yourself in your own custom payload PS: Even though it's in the tags, credits to zil0g80 and @wildcard for the sauces and patches
  12. First, as always, the credits(included in README): nmount ps4 payload developed by wildcard Thanks to Zer0xFF(@Zer0xFF) for ps4sdk.mk linker flags, and BigBoss(@psxdev) for directory printing from ps4link! In order to compile for nmount you need to add 2 flags to /ps4sdk/make/ps4sdk.mk Replace this line: LinkerFlags = -O3 -Wall -m64 $(LibraryPath) $(Debug) With this line: LinkerFlags = -O3 -Wall -m64 $(LibraryPath) $(Debug) -lPs4SystemCall_stub -lPs4SystemCallAdaptive_stub Enjoy! Now, for the tutorial! Requirements: -> PS4 in 1.76 -> Hitodama's PS4SDK -> nmount payload -> elf loader or extreme-modding's elf loader -> the table (included in payload): Partition mounting table Partition | Directory | fstype | mount flag md0 / msdosfs? MNT_UPDATE da0x0.crypt /preinst msdosfs MNT_UPDATE da0x1.crypt /preinst2 msdosfs MNT_UPDATE da0x2.crypt ???????? da0x3.crypt /eap_vsh msdosfs MNT_FORCE da0x4.crypt /system msdosfs MNT_UPDATE da0x4b.crypt ??????? da0x5.crypt /system_ex msdosfs MNT_UPDATE da0x5b.crypt some exfat? exfat? da0x6.crypt ?????? da0x6x0.crypt ?????? da0x6x1.crypt SCE EVENT da0x6x2.crypt SCE EVENT da0x8.crypt ?????? da0x9.crypt /system_data msdosfs MNT_FORCE da0x12.crypt /update msdosfs MNT_UPDATE da0x13.crypt /user ufs MNT_FORCE da0x14.crypt /eap_user msdosfs MNT_FORCE da0x15.crypt ???? /user/data /data nullfs MNT_FORCE -> Information about the mount fs type(also included in source) Steps: 0. Specify your options in the payload source. fstype is the type of fs you wish your partition to have. some are not valid and will return an error. check table for more information. fspath is the path where you want to mount your partition. finally, from is the location of your crypt partition. 1. Compile the payload. Make sure the flags on your ps4sdk are properly set! (check readme or this post for more information). 2. Load elf loader. 3. Let it stabilize on stage 5. 4. Start the listener and run the payload: #listener socat - TCP:my.ps4.ip:5052 #sender socat -u FILE:path/to/nmount TCP:my.ps4.ip:5053 Where my.ps4.ip is your local ps4 ip and path/to/nmount is the absolute or relative path to mounting payload 5. You should have your crypt partition mounted. PS: This does exactly the same thing as tomtomdu's partition remounter! Be very careful when using this payload! you may softbrick or even brick your device!
  13. Credits to: z80 (https://twitter.com/ZiL0G80 ) for finding the patches to enable more UART | /dev/klog logs on his console You will need: *Retail Payload * elfldr/extreme-modding.de playground's elf loader * UART Soldering Skills / FTP Server (to grab logs from /dev/klog) * Ps4 on 1.76 Steps: * Fire up your own elfldr or extreme-modding.de one (it needs to go all the way to step 5 without out of memory!) * Listen to the payload: #listener socat - TCP:my.ps4.ip:5052 * Send the payload: #sender socat -u FILE:path/to/mempatch_retail.elf TCP:my.ps4.ip:5053 * Launch a game or a system app * [Extra UART] If you have UART connected, listen to the logs while the game or app is being loaded * [Extra klog] If you're not a soldering guy, just grab the content from /dev/klog On your ftp root server. WARNING! Logs will delete themselves once every a couple of minutes or so! * You should have some extra logs.
  14. inject what? that just rebuilds database. it's the source code to the package lol. webman and rebug toolbox do the same
  15. So, for this tutorial, none of this would've been possible without the help of harlequin and Charles. all of the credits go to them, thanks guys You will need: * A PS4 on 1.76 firmware with ftp capabilities * the ps4 trophy keys (if it's inconvenient to the mods, please remove this link immediately) * Trophy Resigner * The TITLE ID of the game whose trophies you want to resign * An Hexeditor * Command line Knowledge Here are the steps: 1- Extract the contents of the trophy keys zipfile into your %USERPROFILE% folder (in my case it's C:\Users\zecoxao). You will have it as C:\Users\zecoxao\ps4keys\<keys_here> 2- Navigate to: /system_data/priv/appmeta And find the TITLE ID of the game which you want to resign the trophy file 3- Copy the CUSA title id folder to a safe place. 4- Open npbind.dat inside with Hexeditor: here we can see that game CUSA00434 has correspondant trophy file NPWR05974 5- Now that you know correspondant id, navigate to: /user/trophy/conf and find folder with that id and place it somewhere safe on your pc. you know have two things: your np communications id and your trophy file 6. Open a command line and type the appropriate command with trp_resigner.exe: trp_resigner.exe NPWR05974_00/TROPHY.TRP NPWR05974_00 trophy00.trp Following the example above. 7. Congratulations! You now have a resigned debug trophy