zecoxao

This executable decompresses ARZL binaries for the ps4, like the compressed eap kernel. This SHOULD also work on vita but i'm not sure about it. Download Link: https://www.sendspace.com/file/liris4

Happy birthday

Apologies for the necro bump, but since there's a new ksploit floating around i figured i might change < 2.00 games as green to < 4.06 games as green

fuck you @GregoryRasputin thanks guys

read the instructions again please: 1. load wb and start code execution, wait till its waiting for payload 2. press ps button 3. run the game 4. send the payload containing the path to the eboot inside the mounted folder in pfsmnt 5. collect your modules/eboot on usb0/any other output path that's how you prevent out of memory errors (this also happens with elfs)

go to that line and follow the instructions there.

use https://github.com/idc/PS4-SDK

there are tutorials that do this for you here. https://playstationhax.xyz/forums/topic/3271-tutorial-how-to-decrypt-and-dump-games-ebootprx-and-sprx/ https://playstationhax.xyz/forums/topic/3104-tutorial-how-to-bypass-pfs-protection-entirely/ but this is deprecated. i released on twitter a payload that allows to play any game without eboot_plugin patch

If any of you has any difficulty in running this tutorial, just use this payload instead and follow these steps on 1.76: https://www.sendspace.com/file/v81sn4 1. load wb and start code execution, wait till its waiting for payload 2. press ps button 3. run the game 4. send the payload containing the path to the eboot inside the mounted folder in pfsmnt 5. collect your modules/eboot on usb0/any other output path

Requirements: Minecraft Patch Kernel Hooks Payload CUSA00265 decrypted eboot named as eboot_dec.bin CUSA00265 filesystem (minus sce_modules) The Playroom encrypted sce_modules Playground that supports Code Exec and Elf Loader / Extreme-modding.de playground / etc Filezilla Client (Transfer mode MUST be binary) NetCat Socat Tutorial: 1- Create Folder in data folder named app2 (with ftp payload, binary mode always, NOT ascii) 2- Put in Folder original sce_modules from playroom (encrypted, not modified) 3- Put eboot_plugin in folder 4- Put eboot_dec.bin (from game we want to use, in this case, Minecraft Trial CUSA00265) 5- Put game files and folders (from game we want to use) 6- Reboot to clean memory from previous ftp payload patches 7- Execute kernel_hook payload (socat -u FILE:kernel_hooks TCP:my.ps4.ip:5054). Note that this is hitodama 8- Run listener to grab logs (nc my.ps4.ip 5088). You should see some logs on it 9- Minimize browser with PS Button 10- Run Playroom. Instead of the usual app, Minecraft Trial version should show up. Notes: This is only a POC, so treat it as such Most games SHOULD work with this method, but each and everyone of them will require a "patch" (i call it like that because it's the file that allows the eboot to run) Additionally, games that require modules besides libc and/or libSceFios2 will most likely not work, at least for now. Homebrew DOES work with this method, but as you can see from the SDKs available (the open source ones) there is no Graphics API whatsoever. This method however supports hitodama compiled ELFs. As for credits/source code, we're still discussing the best way to release this without any lawsuit from Sony (not that they're very interested in 1.76 but whatever...) The next game that we're working on is P.T. Some people are also working on homebrew. Hopefully that'll happen soon, but until then, STOP ASKING! In the meantime, maybe there'll be a source release on how to do the eboot_plugin "patches". Just be patient Video:

Vitashell 6

Hoping for some FFVII remake LMAO

Not yet. first we'd need to have peek and poke. and to do that we need to be able to write to the area where the code is. and we cannot because it is protected by a hash that only exists in lv1 memory. BUT IF we have a browser exploit and this on < 4.40 we can write to lv2 accessible regions, yes. and we could try to get out of it (we're working on it right now)

so, after some deliberation with Zer0Tolerance, we decided to release an updated version of the lv2 exploit that my friend released a long time ago. First, some notes: This exploit was patched on 4.40, NOT on 4.45 There isn't just ONE non checked pointer, there are FOUR! they are all 4 now checked in 4.40 /* * lv2 SysCall 670 (0x29E): sys_rsx_context_allocate * @param context_id (OUT): RSX context, E.g. 0x55555555 (in vsh.self) * @param lpar_dma_control (OUT): Control register area. E.g. 0x60100000 (in vsh.self) * @param lpar_driver_info (OUT): RSX data like frequencies, sizes, version... E.g. 0x60200000 (in vsh.self) * @param lpar_reports (OUT): Report data area. E.g. 0x60300000 (in vsh.self) * @param mem_ctx (IN): mem_ctx given by sys_rsx_memory_allocate * @param system_mode (IN): */ /* After some verification it turns out that 4 pointers aren't checked They are: context_id lpar_dma_control lpar_driver_info lpar_reports we can write values at: rsx_context + 0x04 (4Bytes) - context_id rsx_context + 0x20 (8Bytes) - lpar_dma_control rsx_context + 0x30 (8Bytes) - lpar_driver_info rsx_context + 0x40 (8Bytes) - lpar_reports to properly specify a kernel address use ULL for big numbers */ you can test this for instance on a 4.21 cfw console by specifying an address in one of the parameters and then dumping memory before and after running the syscall. just be careful that you need to be able to write to that region! https://www.sendspace.com/file/rnf0eg ^ link to the exploit Many thanks to @IronMan and @AlexAltea for the help. this exploit will be even better later, so stick around

You need: fixed ftp payload with full debug settings ps4 on 1.76 pc to send the payload netcat/netcat gui HxD or hexeditor of choice This follows the same way of the previous tutorials so i'll just make this simple. Before sending the payload, hexedit it to add your IP. Search for 192.168.000.000 replace it with your ps4 IP: and just send it with netcat You should have FTP working then. Everything else is the same for CTurt payloads. You get spoof to 5.00 firmware, FTP now allows you to dump crypt and cryptx partitions, as well as other things like iccnvs and Debug Settings are fully working (using Devkit Target ID) Credits: Sealab ( For the full debug settings patches) @wildcard ( For the port to 1.01 payload) @fx0day (For the original FTP payload sauce) @flatz ( For the FTP payload fixes)