Jump to content

zecoxao

Super Admin
  • Content count

    863
  • Joined

  • Last visited

  • Days Won

    73

zecoxao last won the day on September 19

zecoxao had the most liked content!

Community Reputation

1,304 Excellent

Social Info

About zecoxao

  • Rank
    Posting Freak
  • Birthday 10/12/1990

Profile Information

  • Gender
    Not Telling

Recent Profile Visitors

3,420 profile views
  1. Requirements: Minecraft Patch Kernel Hooks Payload CUSA00265 decrypted eboot named as eboot_dec.bin CUSA00265 filesystem (minus sce_modules) The Playroom encrypted sce_modules Playground that supports Code Exec and Elf Loader / Extreme-modding.de playground / etc Filezilla Client (Transfer mode MUST be binary) NetCat Socat Tutorial: 1- Create Folder in data folder named app2 (with ftp payload, binary mode always, NOT ascii) 2- Put in Folder original sce_modules from playroom (encrypted, not modified) 3- Put eboot_plugin in folder 4- Put eboot_dec.bin (from game we want to use, in this case, Minecraft Trial CUSA00265) 5- Put game files and folders (from game we want to use) 6- Reboot to clean memory from previous ftp payload patches 7- Execute kernel_hook payload (socat -u FILE:kernel_hooks TCP:my.ps4.ip:5054). Note that this is hitodama 8- Run listener to grab logs (nc my.ps4.ip 5088). You should see some logs on it 9- Minimize browser with PS Button 10- Run Playroom. Instead of the usual app, Minecraft Trial version should show up. Notes: This is only a POC, so treat it as such Most games SHOULD work with this method, but each and everyone of them will require a "patch" (i call it like that because it's the file that allows the eboot to run) Additionally, games that require modules besides libc and/or libSceFios2 will most likely not work, at least for now. Homebrew DOES work with this method, but as you can see from the SDKs available (the open source ones) there is no Graphics API whatsoever. This method however supports hitodama compiled ELFs. As for credits/source code, we're still discussing the best way to release this without any lawsuit from Sony (not that they're very interested in 1.76 but whatever...) The next game that we're working on is P.T. Some people are also working on homebrew. Hopefully that'll happen soon, but until then, STOP ASKING! In the meantime, maybe there'll be a source release on how to do the eboot_plugin "patches". Just be patient Video:
  2. PlayStation Press Conference 2017 - Watch Here

    Hoping for some FFVII remake LMAO
  3. [Release] rsxploit updated and working

    Not yet. first we'd need to have peek and poke. and to do that we need to be able to write to the area where the code is. and we cannot because it is protected by a hash that only exists in lv1 memory. BUT IF we have a browser exploit and this on < 4.40 we can write to lv2 accessible regions, yes. and we could try to get out of it (we're working on it right now)
  4. so, after some deliberation with Zer0Tolerance, we decided to release an updated version of the lv2 exploit that my friend released a long time ago. First, some notes: This exploit was patched on 4.40, NOT on 4.45 There isn't just ONE non checked pointer, there are FOUR! they are all 4 now checked in 4.40 /* * lv2 SysCall 670 (0x29E): sys_rsx_context_allocate * @param context_id (OUT): RSX context, E.g. 0x55555555 (in vsh.self) * @param lpar_dma_control (OUT): Control register area. E.g. 0x60100000 (in vsh.self) * @param lpar_driver_info (OUT): RSX data like frequencies, sizes, version... E.g. 0x60200000 (in vsh.self) * @param lpar_reports (OUT): Report data area. E.g. 0x60300000 (in vsh.self) * @param mem_ctx (IN): mem_ctx given by sys_rsx_memory_allocate * @param system_mode (IN): */ /* After some verification it turns out that 4 pointers aren't checked They are: context_id lpar_dma_control lpar_driver_info lpar_reports we can write values at: rsx_context + 0x04 (4Bytes) - context_id rsx_context + 0x20 (8Bytes) - lpar_dma_control rsx_context + 0x30 (8Bytes) - lpar_driver_info rsx_context + 0x40 (8Bytes) - lpar_reports to properly specify a kernel address use ULL for big numbers */ you can test this for instance on a 4.21 cfw console by specifying an address in one of the parameters and then dumping memory before and after running the syscall. just be careful that you need to be able to write to that region! https://www.sendspace.com/file/rnf0eg ^ link to the exploit Many thanks to @IronMan and @AlexAltea for the help. this exploit will be even better later, so stick around
  5. You need: fixed ftp payload with full debug settings ps4 on 1.76 pc to send the payload netcat/netcat gui HxD or hexeditor of choice This follows the same way of the previous tutorials so i'll just make this simple. Before sending the payload, hexedit it to add your IP. Search for 192.168.000.000 replace it with your ps4 IP: and just send it with netcat You should have FTP working then. Everything else is the same for CTurt payloads. You get spoof to 5.00 firmware, FTP now allows you to dump crypt and cryptx partitions, as well as other things like iccnvs and Debug Settings are fully working (using Devkit Target ID) Credits: Sealab ( For the full debug settings patches) @wildcard ( For the port to 1.01 payload) @fx0day (For the original FTP payload sauce) @flatz ( For the FTP payload fixes)
  6. you need to do this with a ps2 classics installed
  7. https://www.sendspace.com/file/mx1kjx @3141card has asked me to release this as well. 4.81 netemu with temperature display Enjoy
  8. @3141card has asked me to share this. it is ps2_netemu from 4.81 with full hvcall support, and option to dump lv1 from inside netemu. @mysis this is also for you https://mega.nz/#!FlMQ3SyB!-wtUdxvPEuGBZoB1awY9I5f3zBd_f3qLG7NOZugLE28 instructions on how to dump lv1 are inside. have fun
  9. @Red-EyeX32 asked me to share this with you guys (it's already released but whatever) https://mega.nz/#!h4VnyCxK!n7Sqh9h6_zGT2dnFzue-6_ZUDNh0kfKnuPVmLUWHa-U
  10. How to find TOC in lv1:
  11. @3141card @Joonie @mysis proof of concept scripts: https://www.sendspace.com/file/mv5czq lv2_dump_analyser_before_355.idc <- script for firmwares before 3.55 and after 1.02 (TOC located at segment #7) lv2_dump_analyser_355_plus.idc <- script for firmwares 3.55 and above (TOC located at segment #6) Useful if you want to find everything quick and leave syscall table for later. Just add those two to ps3ida folder and use them according to version. TOC will be automatically found.
  12. Tools Required: * IDA Pro (don't ask where to find it, Google is your friend) * HxD * 7zip * Tools to extract elf from lv2_kernel.self (Unself/Unself2/Scetool/etc) / pup unpack tools Step 1: Extract the elf from lv2_kernel (here i'm using aldos tools) by right clicking lv2 and choosing "SELF Tools->Extract ELF" Step 2: Extract further the elf with 7zip by right clicking the elf and choosing "7zip-> Extract to <name_of_file_without_extension>" It'll create a folder and extract its contents. If a popup box shows up asking to overwrite or not, choose "Rename automatically" Step 3: Open the folder and go to the segment with 46KB/45KB size. Open it with HxD and go from the start position 0x8000 bytes into the file. Example for 1.02 lv2_kernel: Step 4: Copy the first 8 bytes from 0x8000 to the transfer area. Step 5: Open the kernel in IDA Pro and let it load. After it loads search for those bytes. You should see an unknown data structure. That is your TOC PS: Tested on 4.46 REX Cex Kernel, 1.02 CEX Kernel, and 4.60 DECR Kernel, as well as 3.41 CEX Kernel v1, 2.70 CEX Kernel and 2.00 CEX Kernel
  13. PS2 Netemu - Unlock Config Mode and Debug Info Mode

    @mysis needs to see this
  14. Qwertyuiopz Teasing 4.5x hacked on twitter

    BORING! ksploit isn't SAMU. so it's BORING!
×