Welcome to PlayStationHaX

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.


Super Admin
  • Content count

  • Joined

  • Last visited

  • Days Won


zecoxao last won the day on March 29

zecoxao had the most liked content!

Community Reputation

1,243 Excellent

About zecoxao

  • Rank
    Posting Freak
  • Birthday 10/12/1990

Profile Information

  • Gender
    Not Telling
  1. BORING! ksploit isn't SAMU. so it's BORING!
  2. they do not exist.
  3. https://mega.nz/#F!55kHGLBR!XlVBKqFYriLOZ6CBoCdyhQ
  4. i still have the sources. wait
  5. First of all, a note. this is for testkit and devkit consoles ONLY! We are working on a way to bring debug functionality to retail consoles, but it might take a while. These are the patches: *(uint16_t *)0xFFFFFFFF82607E56 = 0x9090; //retail - testkit (doesn't work on retail yet, but offsets are the same) *(uint16_t *)0xFFFFFFFF82607E71 = 0x9090; //retail - testkit (doesn't work on retail yet, but offsets are the same) *(uint16_t *)0xFFFFFFFF825FCFE6 = 0x9090; //devkit *(uint16_t *)0xFFFFFFFF825FD001 = 0x9090; //devkit Due to the nature of devkits, only hitodama's payloads work on them, so i'll provide one payload for CTurt (for testkit) and one for hito (for devkit) testkit payload devkit payload Since people should already know by detail how to send these payloads i won't go through much detail. Testkit payload follows the CTurt procedure. Devkit payload follows the Hitodama procedure. The end result will be this: Good luck! If you do not feel confident on trying the payloads, just implement those patches yourself in your own custom payload PS: Even though it's in the tags, credits to zil0g80 and @wildcard for the sauces and patches
  6. First, as always, the credits(included in README): nmount ps4 payload developed by wildcard Thanks to Zer0xFF(@Zer0xFF) for ps4sdk.mk linker flags, and BigBoss(@psxdev) for directory printing from ps4link! In order to compile for nmount you need to add 2 flags to /ps4sdk/make/ps4sdk.mk Replace this line: LinkerFlags = -O3 -Wall -m64 $(LibraryPath) $(Debug) With this line: LinkerFlags = -O3 -Wall -m64 $(LibraryPath) $(Debug) -lPs4SystemCall_stub -lPs4SystemCallAdaptive_stub Enjoy! Now, for the tutorial! Requirements: -> PS4 in 1.76 -> Hitodama's PS4SDK -> nmount payload -> elf loader or extreme-modding's elf loader -> the table (included in payload): Partition mounting table Partition | Directory | fstype | mount flag md0 / msdosfs? MNT_UPDATE da0x0.crypt /preinst msdosfs MNT_UPDATE da0x1.crypt /preinst2 msdosfs MNT_UPDATE da0x2.crypt ???????? da0x3.crypt /eap_vsh msdosfs MNT_FORCE da0x4.crypt /system msdosfs MNT_UPDATE da0x4b.crypt ??????? da0x5.crypt /system_ex msdosfs MNT_UPDATE da0x5b.crypt some exfat? exfat? da0x6.crypt ?????? da0x6x0.crypt ?????? da0x6x1.crypt SCE EVENT da0x6x2.crypt SCE EVENT da0x8.crypt ?????? da0x9.crypt /system_data msdosfs MNT_FORCE da0x12.crypt /update msdosfs MNT_UPDATE da0x13.crypt /user ufs MNT_FORCE da0x14.crypt /eap_user msdosfs MNT_FORCE da0x15.crypt ???? /user/data /data nullfs MNT_FORCE -> Information about the mount fs type(also included in source) Steps: 0. Specify your options in the payload source. fstype is the type of fs you wish your partition to have. some are not valid and will return an error. check table for more information. fspath is the path where you want to mount your partition. finally, from is the location of your crypt partition. 1. Compile the payload. Make sure the flags on your ps4sdk are properly set! (check readme or this post for more information). 2. Load elf loader. 3. Let it stabilize on stage 5. 4. Start the listener and run the payload: #listener socat - TCP:my.ps4.ip:5052 #sender socat -u FILE:path/to/nmount TCP:my.ps4.ip:5053 Where my.ps4.ip is your local ps4 ip and path/to/nmount is the absolute or relative path to mounting payload 5. You should have your crypt partition mounted. PS: This does exactly the same thing as tomtomdu's partition remounter! Be very careful when using this payload! you may softbrick or even brick your device!
  7. Credits to: z80 (https://twitter.com/ZiL0G80 ) for finding the patches to enable more UART | /dev/klog logs on his console You will need: *Retail Payload * elfldr/extreme-modding.de playground's elf loader * UART Soldering Skills / FTP Server (to grab logs from /dev/klog) * Ps4 on 1.76 Steps: * Fire up your own elfldr or extreme-modding.de one (it needs to go all the way to step 5 without out of memory!) * Listen to the payload: #listener socat - TCP:my.ps4.ip:5052 * Send the payload: #sender socat -u FILE:path/to/mempatch_retail.elf TCP:my.ps4.ip:5053 * Launch a game or a system app * [Extra UART] If you have UART connected, listen to the logs while the game or app is being loaded * [Extra klog] If you're not a soldering guy, just grab the content from /dev/klog On your ftp root server. WARNING! Logs will delete themselves once every a couple of minutes or so! * You should have some extra logs.
  8. inject what? that just rebuilds database. it's the source code to the package lol. webman and rebug toolbox do the same
  9. So, for this tutorial, none of this would've been possible without the help of harlequin and Charles. all of the credits go to them, thanks guys You will need: * A PS4 on 1.76 firmware with ftp capabilities * the ps4 trophy keys (if it's inconvenient to the mods, please remove this link immediately) * Trophy Resigner * The TITLE ID of the game whose trophies you want to resign * An Hexeditor * Command line Knowledge Here are the steps: 1- Extract the contents of the trophy keys zipfile into your %USERPROFILE% folder (in my case it's C:\Users\zecoxao). You will have it as C:\Users\zecoxao\ps4keys\<keys_here> 2- Navigate to: /system_data/priv/appmeta And find the TITLE ID of the game which you want to resign the trophy file 3- Copy the CUSA title id folder to a safe place. 4- Open npbind.dat inside with Hexeditor: here we can see that game CUSA00434 has correspondant trophy file NPWR05974 5- Now that you know correspondant id, navigate to: /user/trophy/conf and find folder with that id and place it somewhere safe on your pc. you know have two things: your np communications id and your trophy file 6. Open a command line and type the appropriate command with trp_resigner.exe: trp_resigner.exe NPWR05974_00/TROPHY.TRP NPWR05974_00 trophy00.trp Following the example above. 7. Congratulations! You now have a resigned debug trophy
  10. I just completed this quiz. My Score 37/100 My Time 141 seconds  
  11. This tutorial would not be possible without the help of my friend Charles. Thank you Charles, for making this possible You will need: * A retail ps4 on 1.76 fw * A testkit or devkit on 1.76 fw, pre-activated (i will not go through details about the activation) * A game you wish to backup (disc or psn, as long as it's activated on psn) * hitodama's ps4sdk * DumpFile modified to decrypt the game's binaries (again, you're on your own) * An ftp payload to dump the files from app0 * Knowledge about the previous tutorials i wrote, namely pfs bypass and decrypt games * (Optional) The game's icons (you'll need the original pkg for this and flatz's awesome python script) * A resigner for AAAA00000 trophies (keys are on wiki, again, i won't go into much detail on this, but i'll update the tutorial later with info) * Target Manager and Target Manager Server (they're out there, just find them, once again, i will not help you on this) Some notes: I won't go into much detail on this tutorial. If you have a brain, use it. Savegames and Trophies now work. Filenames are case sensitive! Steps: - Install the game - Navigate to: system_data/priv/appmeta/ on your ftp server and find the title id of your game (CUSAXXXXX) - Copy the folder to a safe place (you'll need it) - Navigate to: /user/trophy/conf on your ftp server and find the np comms id of your game (hint, it's mentioned in the title id folder, inside npbind) (NPWRXXXXX) - Copy the folder to a safe place (you'll need it) - Resign the TRP inside NPWR folder to debug (i'll put a tutorial after this telling how to do it) - name it trophy00.trp - Transfer the entire content of app0 on pfsmnt to your desktop (you should have two folders, one called sce_sys, and another called trophy inside sce_sys) - Copy trophy00.trp to sce_sys/trophy - Copy the contents of the CUSAXXXXX folder to sce_sys - Decrypt the prx,sprx,eboot.bin contents of your app0 game using dumpfile modified - replace the existing ones in your copied app0 directory with the ones you just decrypted (using the same name) - now, on your activated testkit and devkit, launch the game using the configuration of eboot.bin as loading elf and elf directory as working directory - You should have your own backup running on testkit/devkit. Enjoy Here's the example of minecraft backup structure to serve as guide(take a closer look at sce_sys folder): http://pastebin.com/HNHLrwG5 Here are two videos as proof (Courtesy of Charles)
  12. Happy birthday @3141card !!
  13. It takes a while to build. On my case it took around 10 minutes on my i7, so results may vary.
  14. Credits(these go first): Original authors: wskeu(for the reading part), wildcard (for the writing part) Requirements: * 1.76 console * elf-loader * ps4-sdk * the payload source * a brain Steps: 1. Compile the payload. Specifically to what you want to patch, the size, etc. So, this: /* set variables for reading and writing mem */ size_t dumphexsize = 0x200; size_t dumpsize = 0x1; // size that you want to read size_t writesize = 0x1; // size of the data you are overwriting uint64_t base = start[0]; // use the number of the mapping you want to write to, starting with 0 size_t intoBase = 0x465FC9; // relative position of base and this: char *target = "SceShellCore"; 2. Load elf-loader. Let it stabilize on stage 5. (To increase success rate, clear cookies, cache and history) 3. Load the payload. Specifically: #listener socat - TCP:my.ps4.ip:5052 #sender socat -u FILE:path/to/rwmem TCP:my.ps4.ip:5053 4. This payload will take a while to listen to logs. Be patient. After a while it'll show log output with the memory before and memory after. Notes: this is process peek and poke (reading and writing to process memory) using proc_rwmem, which is more efficient than the old method.
  15. Requirements: * ps4sdk precompiled * elf loader precompiled or extreme-modding's elf loader * the payload source * 1.76 console * usb pendrive or external hdd (fat32 or exfat, exfat recommended) * A preactivated online game or a purchased disc game * The TITLE ID of the disc or online game Steps: 1. Compile the payload with the correct commands. Specifically for The Playroom (CUSA00001): decrypt_and_dump_self("/mnt/sandbox/pfsmnt/CUSA00001-app0/eboot.bin", "/mnt/usb0/eboot.bin"); decrypt_and_dump_self("/mnt/sandbox/pfsmnt/CUSA00001-app0/sce_module/libc.prx", "/mnt/usb0/libc.prx"); decrypt_and_dump_self("/mnt/sandbox/pfsmnt/CUSA00001-app0/sce_module/libSceFios2.prx", "/mnt/usb0/libSceFios2.prx"); decrypt_and_dump_self("/mnt/sandbox/pfsmnt/CUSA00001-app0/sce_sys/about/right.sprx", "/mnt/usb0/right.sprx"); 2. Start the game. 3. Minimize the game (PS Button) 4. Access elf loader 5. Let it load all the way until stage 5 and stabilize 6. Plug the usb stick or hdd on the rightmost port, near PS4 logo 7. Load the payload: #listener socat - TCP:my.ps4.ip:5052 #sender socat -u FILE:path/to/DumpFile TCP:my.ps4.ip:5053 8. when it finishes loading (user return 0) unplug the stick or hdd and check inside. you should have the files in elf format on the root PS: This is a continuation to the previous tutorial "dump and decrypt usermodules" PPS: do not forget that the games decryption require ABSOLUTE PATH due to rif management.